ci: prevent multiline gitleaks false positives

.gitea/workflows/gitleaks.yml

@@ -0,0 +1,23 @@
+name: Gitleaks
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Gitleaks
+        run: |
+          wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.24.2/gitleaks_8.24.2_linux_x64.tar.gz
+          tar -xzf gitleaks_8.24.2_linux_x64.tar.gz
+          chmod +x gitleaks
+
+      - name: Run Gitleaks
+        run: ./gitleaks dir . --config .gitleaks.toml --verbose

.gitignore

@@ -1,5 +1,7 @@
 .DS_Store
 .env
 docker-compose.env
+*/env
 */config
 */data
+*/mysql

.gitleaks.toml

@@ -0,0 +1,36 @@
+title = "Gitleaks Docker Compose CI/CD Config"
+
+[allowlist]
+description = "Ignore sample/example files and placeholders"
+paths = ['''.*\.env\.sample$''', '''.*\.env\.example$''', '''.*example.*''']
+
+regexes = [
+   '''\$\{[A-Za-z0-9_]+\}''',
+   '''(?i)(my-password|my-super-secret-auth-token|super_secret_password|very_sensitive_secret)''',
+]
+
+[[rules]]
+id = "docker-env-password"
+description = "Hardcoded password in docker-compose environment"
+regex = '''(?im)^\s*-?\s*[A-Z0-9_]*(PASSWORD|PASS|PWD)\s*[:=]\s*['"]?([A-Za-z0-9][A-Za-z0-9!@#%^&+=.,_~/-]{7,})['"]?\s*(?:#.*)?$'''
+secretGroup = 2
+tags = ["docker", "compose", "password", "env"]
+
+[[rules]]
+id = "docker-env-secret"
+description = "Hardcoded secret, token, or API key in docker-compose environment"
+regex = '''(?im)^\s*-?\s*[A-Z0-9_]*(SECRET|TOKEN|API[_-]?KEY)\s*[:=]\s*['"]?([A-Za-z0-9][A-Za-z0-9_\-]{19,})['"]?\s*(?:#.*)?$'''
+secretGroup = 2
+tags = ["docker", "compose", "secret", "env"]
+
+[[rules]]
+id = "aws-credentials"
+description = "AWS Access Key or Secret"
+regex = '''AKIA[0-9A-Z]{16}|(?i)aws[_-]secret[_-]access[_-]key\s*[:=]\s*[A-Za-z0-9/+=]{40}'''
+tags = ["aws", "compose", "credentials"]
+
+[[rules]]
+id = "private-key"
+description = "Private key detected"
+regex = '''-----BEGIN( RSA| EC| DSA| OPENSSH)? PRIVATE KEY-----'''
+tags = ["key", "pem", "compose"]

README.md

@@ -1,15 +1,26 @@
 # docker compose files
 
+<!-- vim-markdown-toc GFM -->
+
+* [Description](#description)
+* [Usage](#usage)
+* [Support](#support)
+* [Contributing](#contributing)
+* [Authors and acknowledgment](#authors-and-acknowledgment)
+* [License](#license)
+* [Project status](#project-status)
+
+<!-- vim-markdown-toc -->
+
 ## Description
 
-This is my collection of docker compose files that I'm either currently using or
-have used on my homelab at some point.
+This is my collection of docker compose files that I'm either currently using or have used on my homelab at some point.
 
 ## Usage
 
 ```sh
 git clone -n --depth=1 --filter=tree:0 \
-  https://git.danesi.dev/cdanesi/docker.git
+    https://git.danesi.dev/cdanesi/docker.git
 cd docker
 git sparse-checkout set --no-cone /<directory name>
 git checkout
@@ -20,8 +31,7 @@ git sparse-checkout add /<directory name>
 
 ## Support
 
-I offer no support for these files. This is what works for me. These are for
-reference purposes only.
+I offer no support for these files. This is what works for me. These are for reference purposes only.
 
 ## Contributing
 
@@ -31,5 +41,4 @@ reference purposes only.
 
 ## Project status
 
-This is an ongoing project. I probably don't update existing compose files, but
-I'll add new stuff as it gets added to my homelab.
+This is an ongoing project. I probably don't update existing compose files, but I'll add new stuff as it gets added to my homelab.

dashy/docker-compose.yml

@@ -14,7 +14,10 @@ services:
       - TZ=America/New_York
     restart: unless-stopped
     healthcheck:
-      test: ["CMD", "node", "/app/services/healthcheck"]
+      test:
+        - "CMD"
+        - "node"
+        - "/app/services/healthcheck"
       interval: 1m30s
       timeout: 10s
       retries: 3

fail2ban-exporter/docker-compose.yml

@@ -1,8 +1,9 @@
 ---
 services:
   exporter:
-    image: registry.gitlab.com/hectorjsmith/fail2ban-prometheus-exporter:latest
+    image: registry.gitlab.com/hctrdev/fail2ban-prometheus-exporter:latest
     volumes:
       - /var/run/fail2ban/:/var/run/fail2ban:ro
     ports:
-      - "9191:9191"
+      - "9191:9191"
+    restart: 'always'

frappe-helpdesk/docker-compose.yml

@@ -0,0 +1,31 @@
+---
+services:
+  mariadb:
+    image: mariadb:10.8
+    command:
+      - --character-set-server=utf8mb4
+      - --collation-server=utf8mb4_unicode_ci
+      - --skip-character-set-client-handshake
+      - --skip-innodb-read-only-compressed # Temporary fix for MariaDB 10.6
+    environment:
+      MYSQL_ROOT_PASSWORD: 123
+    volumes:
+      - mariadb-data:/var/lib/mysql
+
+  redis:
+    image: redis:alpine
+
+  frappe:
+    image: frappe/bench:latest
+    command: bash /workspace/init.sh
+    environment:
+      - SHELL=/bin/bash
+    working_dir: /home/frappe
+    volumes:
+      - .:/workspace
+    ports:
+      - 8000:8000
+      - 9000:9000
+
+volumes:
+  mariadb-data:

frappe-helpdesk/init.sh

@@ -0,0 +1,40 @@
+#!bin/bash
+
+if [ -d "/home/frappe/frappe-bench/apps/frappe" ]; then
+    echo "Bench already exists, skipping init"
+    cd frappe-bench
+    bench start
+else
+    echo "Creating new bench..."
+fi
+
+bench init --skip-redis-config-generation frappe-bench --version version-15
+
+cd frappe-bench
+
+# Use containers instead of localhost
+bench set-mariadb-host mariadb
+bench set-redis-cache-host redis://redis:6379
+bench set-redis-queue-host redis://redis:6379
+bench set-redis-socketio-host redis://redis:6379
+
+# Remove redis, watch from Procfile
+sed -i '/redis/d' ./Procfile
+sed -i '/watch/d' ./Procfile
+
+bench get-app helpdesk --branch main
+
+bench new-site helpdesk.localhost \
+--force \
+--mariadb-root-password 123 \
+--admin-password admin \
+--no-mariadb-socket
+
+bench --site helpdesk.localhost install-app helpdesk
+bench --site helpdesk.localhost set-config developer_mode 1
+bench --site helpdesk.localhost set-config mute_emails 1
+bench --site helpdesk.localhost set-config server_script_enabled 1
+bench --site helpdesk.localhost clear-cache
+bench use helpdesk.localhost
+
+bench start

gitea-runner/docker-compose.yml

@@ -0,0 +1,13 @@
+services:
+  runner:
+    image: docker.io/gitea/act_runner:0.6.1
+    container_name: gitea-runner
+    restart: unless-stopped
+    environment:
+      CONFIG_FILE: /data/config.yaml
+      GITEA_INSTANCE_URL: https://git.danesi.dev
+      GITEA_RUNNER_REGISTRATION_TOKEN: ${GITEA_RUNNER_REGISTRATION_TOKEN}
+      GITEA_RUNNER_NAME: charon-runner-1
+    volumes:
+      - /srv/gitea-runner/data:/data
+      - /var/run/docker.sock:/var/run/docker.sock

gitea/docker-compose.yml

@@ -0,0 +1,47 @@
+services:
+  server:
+    image: docker.gitea.com/gitea:1.26.2
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=db:5432
+      - GITEA__database__NAME=gitea
+      - GITEA__database__USER=gitea
+      - GITEA__database__PASSWD=${GITEA_DB_PASSWORD}
+      - GITEA__server__ROOT_URL=https://git.danesi.dev/
+      - GITEA__server__DOMAIN=git.danesi.dev
+      - GITEA__server__SSH_DOMAIN=git.danesi.dev
+      - GITEA__server__SSH_PORT=222
+    restart: unless-stopped
+    networks:
+      - gitea
+      - proxy
+    volumes:
+      - /srv/gitea/data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    expose:
+      - "3000"
+    ports:
+      - "222:22"
+    depends_on:
+      - db
+
+  db:
+    image: docker.io/library/postgres:14
+    restart: unless-stopped
+    environment:
+      - POSTGRES_USER=gitea
+      - POSTGRES_PASSWORD=${GITEA_DB_PASSWORD}
+      - POSTGRES_DB=gitea
+    networks:
+      - gitea
+    volumes:
+      - /srv/gitea/postgres:/var/lib/postgresql/data
+
+networks:
+  gitea:
+  proxy:
+    external: true

internet-speed-logger/docker-compose.yml

@@ -34,11 +34,11 @@ services:
     expose:
       - 27017
     environment:
-      - MONGODB_ROOT_PASSWORD=speedtest
+      - MONGODB_ROOT_PASSWORD=${MONGODB_ROOT_PASSWORD}
       - MONGODB_USERNAME=speedtest
-      - MONGODB_PASSWORD=speedtest
+      - MONGODB_PASSWORD=${MONGODB_PASSWORD}
       - MONGODB_DATABASE=speedtest
       - PGID
       - PUID
     volumes:
-      - ./mongo-persistence:/bitnami
+      - ./mongo-persistence:/bitnami

invoiceninja/docker-compose.yml

@@ -4,23 +4,18 @@ services:
     image: nginx
     container_name: in_nginx
     restart: always
+    command: /bin/sh -c "rm -f /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"
     env_file: .env
     volumes:
-      # Vhost configuration
-      #- ./config/caddy/Caddyfile:/etc/caddy/Caddyfiledocker-com
-      - ./config/nginx/in-vhost.conf:/etc/nginx/conf.d/in-vhost.conf:ro
-      - ./data/public:/var/www/app/public:ro
+      - /srv/invoiceninja/config/nginx/in-vhost.conf:/etc/nginx/conf.d/in-vhost.conf:ro
+      - /srv/invoiceninja/docker/app/public:/var/www/app/public:ro
     depends_on:
       - app
-    # Run webserver nginx on port 80
-    # Feel free to modify depending what port is already occupied
-    ports:
-      - "80:80"
-      #- "443:443"
+    expose:
+      - "80"
     networks:
       - invoiceninja
-    extra_hosts:
-      - "in5.localhost:127.0.0.1" #host and ip
+      - proxy
 
   app:
     image: invoiceninja/invoiceninja:5
@@ -28,38 +23,27 @@ services:
     env_file: .env
     restart: always
     volumes:
-      - ./config/hosts:/etc/hosts:ro
-      - ./data/public:/var/www/app/public:rw,delegated
-      - ./data/storage:/var/www/app/storage:rw,delegated
-      - ./config/php/php.ini:/usr/local/etc/php/php.ini
-      - ./config/php/php-cli.ini:/usr/local/etc/php/php-cli.ini
-
+      - /srv/invoiceninja/config/hosts:/etc/hosts:ro
+      - /srv/invoiceninja/docker/app/public:/var/www/app/public:rw,delegated
+      - /srv/invoiceninja/docker/app/storage:/var/www/app/storage:rw,delegated
+      - /srv/invoiceninja/config/php/php.ini:/usr/local/etc/php/php.ini
+      - /srv/invoiceninja/config/php/php-cli.ini:/usr/local/etc/php/php-cli.ini
     depends_on:
       - db
     networks:
       - invoiceninja
-    extra_hosts:
-      - "in5.localhost:127.0.0.1" #host and ip
 
   db:
-    image: mariadb:10.4
+    image: mysql:8.4.0-oraclelinux8
     container_name: in_mysql
-    ports:
-      - "3305:3306"
     restart: always
     env_file: .env
     volumes:
-      - ./mysql/data:/var/lib/mysql:rw,delegated
-
-      # remove comments for next 4 lines if you want auto sql backups
-      #- ./mysql/bak:/backups:rw
-      #- ./config/mysql/backup-script:/etc/cron.daily/daily:ro
-      #- ./config/mysql/backup-script:/etc/cron.weekly/weekly:ro
-      #- ./config/mysql/backup-script:/etc/cron.monthly/monthly:ro
+      - /srv/invoiceninja/docker/mysql/data:/var/lib/mysql:rw,delegated
     networks:
       - invoiceninja
-    extra_hosts:
-      - "in5.localhost:127.0.0.1" #host and ip
 
 networks:
-  invoiceninja:
+  invoiceninja:
+  proxy:
+    external: true

linkstack/docker-compose.yml

@@ -1,10 +1,12 @@
 ---
 services:
   linkstack:
-    hostname: "linkstack"
     image: "linkstackorg/linkstack:latest"
+    container_name: linkstack
+    network_mode: bridge
     environment:
       TZ: "America/New_York"
+
       SERVER_ADMIN: ${SERVER_ADMIN} # admin email
       HTTP_SERVER_NAME: ${HTTP_SERVER_NAME} # fqdn, no protocol
       HTTPS_SERVER_NAME: ${HTTPS_SERVER_NAME} # fqdn, no protocol
@@ -12,9 +14,10 @@ services:
       PHP_MEMORY_LIMIT: "256M"
       UPLOAD_MAX_FILESIZE: "8M"
     volumes:
-      - "linkstack_data:/htdocs"
+      - linkstack_data:/htdocs
     ports:
-      - "8190:443"
+      - "127.0.0.1:8000:80"
+      # - '127.0.0.1:8190:443'
     restart: unless-stopped
 
 volumes:

linkwarden/.gitignore

@@ -1,50 +0,0 @@
-# dependencies
-/node_modules
-/.pnp
-.pnp.js
-
-# testing
-/coverage
-
-# next.js
-/.next/
-/out/
-
-# production
-/build
-
-# misc
-.DS_Store
-*.pem
-
-# debug
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-.pnpm-debug.log*
-
-# env files
-.env*.local
-.env
-
-# vercel
-.vercel
-
-# typescript
-*.tsbuildinfo
-next-env.d.ts
-
-# generated files and folders
-/data
-.idea
-prisma/dev.db
-
-# tests
-/tests
-/test-results/
-/playwright-report/
-/playwright/.cache/
-
-# docker
-pgdata
-certificates

linkwarden/docker-compose.yml

@@ -5,17 +5,35 @@ services:
     env_file: .env
     restart: always
     volumes:
-      - ./pgdata:/var/lib/postgresql/data
+      - /srv/linkwarden/pgdata:/var/lib/postgresql/data
+    networks:
+      - linkwarden_net
 
   linkwarden:
+    restart: "no"
+    mem_limit: 1024m
+    cpus: 0.75
+    # pids_limit: 150
+    container_name: linkwarden
     env_file: .env
     environment:
       - DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/postgres
-    restart: always
+    # restart: always
     image: ghcr.io/linkwarden/linkwarden:latest
     ports:
-      - 3000:3000
+      - 127.0.0.1:3000:3000
     volumes:
-      - ./data:/data/data
+      - /srv/linkwarden/data:/data/data
     depends_on:
-      - postgres
+      - postgres
+    networks:
+      - linkwarden_net
+
+networks:
+  linkwarden_net:
+    driver: bridge
+    driver_opts:
+      com.docker.network.driver.mtu: 1450
+    ipam:
+      config:
+        - subnet: 172.31.50.0/24

listmonk/docker-compose.yml

@@ -0,0 +1,70 @@
+# All LISTMONK_* env variables also support the LISTMONK_*_FILE pattern for loading secrets from files with Docker secrets and Podman
+# eg: LISTMONK_ADMIN_USER -> LISTMONK_ADMIN_USER_FILE=/path/to/file_with_value
+
+x-db-credentials: &db-credentials                             # Use the default POSTGRES_ credentials if they're available or simply default to "listmonk"
+  POSTGRES_USER: &db-user listmonk                            # for database user, password, and database name
+  POSTGRES_PASSWORD: &db-password listmonk
+  POSTGRES_DB: &db-name listmonk
+
+services:
+  # listmonk app
+  app:
+    image: listmonk/listmonk:latest
+    container_name: listmonk_app
+    restart: unless-stopped
+    ports:
+      - "9000:9000"                                           # To change the externally exposed port, change to: $custom_port:9000
+    networks:
+      - listmonk
+    hostname: listmonk.example.com                            # Recommend using FQDN for hostname
+    depends_on:
+      - db
+    command: [sh, -c, "./listmonk --install --idempotent --yes --config '' && ./listmonk --upgrade --yes --config '' && ./listmonk --config ''"]
+                                                              # --config (file) param is set to empty so that listmonk only uses the env vars (below) for config.
+                                                              # --install --idempotent ensures that DB installation happens only once on an empty DB, on the first ever start.
+                                                              # --upgrade automatically runs any DB migrations when a new image is pulled.
+
+    environment:                                              # The same params as in config.toml are passed as env vars here.
+      LISTMONK_app__address: 0.0.0.0:9000
+      LISTMONK_db__user: *db-user
+      LISTMONK_db__password: *db-password
+      LISTMONK_db__database: *db-name
+      LISTMONK_db__host: listmonk_db
+      LISTMONK_db__port: 5432
+      LISTMONK_db__ssl_mode: disable
+      LISTMONK_db__max_open: 25
+      LISTMONK_db__max_idle: 25
+      LISTMONK_db__max_lifetime: 300s
+      TZ: Etc/UTC
+      LISTMONK_ADMIN_USER: ${LISTMONK_ADMIN_USER:-}           # If these (optional) are set during the first `docker compose up`, then the Super Admin user is automatically created.
+      LISTMONK_ADMIN_PASSWORD: ${LISTMONK_ADMIN_PASSWORD:-}   # Otherwise, the user can be setup on the web app after the first visit to http://localhost:9000
+    volumes:
+      - ./uploads:/listmonk/uploads:rw                        # Mount an uploads directory on the host to /listmonk/uploads inside the container.
+                                                              # To use this, change directory path in Admin -> Settings -> Media to /listmonk/uploads
+
+  # Postgres database
+  db:
+    image: postgres:17-alpine
+    container_name: listmonk_db
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:5432:5432"                                 # Only bind on the local interface. To connect to Postgres externally, change this to 0.0.0.0
+    networks:
+      - listmonk
+    environment:
+      <<: *db-credentials
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U listmonk"]
+      interval: 10s
+      timeout: 5s
+      retries: 6
+    volumes:
+      - type: volume
+        source: listmonk-data
+        target: /var/lib/postgresql/data
+
+networks:
+  listmonk:
+
+volumes:
+  listmonk-data:

netbox/docker-compose.override.yml.example

@@ -1,23 +0,0 @@
-version: '3.4'
-services:
-  netbox:
-    ports:
-      - "8000:8080"
-    # If you want the Nginx unit status page visible from the
-    # outside of the container add the following port mapping:
-    # - "8001:8081"
-    # healthcheck:
-      # Time for which the health check can fail after the container is started.
-      # This depends mostly on the performance of your database. On the first start,
-      # when all tables need to be created the start_period should be higher than on
-      # subsequent starts. For the first start after major version upgrades of NetBox
-      # the start_period might also need to be set higher.
-      # Default value in our docker-compose.yml is 60s
-      # start_period: 90s
-    # environment:
-      # SKIP_SUPERUSER: "false"
-      # SUPERUSER_API_TOKEN: ""
-      # SUPERUSER_EMAIL: ""
-      # SUPERUSER_NAME: ""
-      # SUPERUSER_PASSWORD: ""
-

nginx-pm/docker-compose.yml

@@ -1,26 +1,36 @@
----
 services:
   app:
     image: "jc21/nginx-proxy-manager:latest"
+    container_name: nginx-proxy-manager
     restart: unless-stopped
+
     ports:
-      # These ports are in format <host-port>:<container-port>
       - "80:80" # Public HTTP Port
       - "443:443" # Public HTTPS Port
-      - "81:81" # Admin Web Port
-      - "22:22" # SSH
+      - "127.0.0.1:81:81" # Admin Web Port
       # Add any other Stream port you want to expose
       # - '21:21' # FTP
 
-    # Uncomment the next line if you uncomment anything in the section
-    # environment:
-    # Uncomment this if you want to change the location of
-    # the SQLite DB file within the container
-    # DB_SQLITE_FILE: "/data/database.sqlite"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
 
-    # Uncomment this if IPv6 is not enabled on your host
-    # DISABLE_IPV6: 'true'
+    networks:
+      - proxy
+      - default
+
+    environment:
+      TZ: "America/New_York"
+      DISABLE_IPV6: "true"
+
+    healthcheck:
+      test: ["CMD", "/usr/bin/check-health"]
+      interval: 10s
+      timeout: 3s
 
     volumes:
-      - ./data:/data
-      - ./letsencrypt:/etc/letsencrypt
+      - /srv/npm/data:/data
+      - /srv/npm/letsencrypt:/etc/letsencrypt
+
+networks:
+  proxy:
+    external: true

paperless-ngx/.gitignore

@@ -1,3 +0,0 @@
-consume/
-export/
-docker-compose.env

paperless-ngx/docker-compose.yml

@@ -1,62 +1,35 @@
-# Docker Compose file for running paperless from the docker container registry.
-# This file contains everything paperless needs to run.
-# Paperless supports amd64, arm and arm64 hardware.
-# All compose files of paperless configure paperless in the following way:
-#
-# - Paperless is (re)started on system boot, if it was running before shutdown.
-# - Docker volumes for storing data are managed by Docker.
-# - Folders for importing and exporting files are created in the same directory
-#   as this file and mounted to the correct folders inside the container.
-# - Paperless listens on port 8000.
-#
-# SQLite is used as the database. The SQLite file is stored in the data volume.
-#
-# In addition to that, this Docker Compose file adds the following optional
-# configurations:
-#
-# - Apache Tika and Gotenberg servers are started with paperless and paperless
-#   is configured to use these services. These provide support for consuming
-#   Office documents (Word, Excel, Power Point and their LibreOffice counter-
-#   parts.
-#
-# To install and update paperless with this file, do the following:
-#
-# - Copy this file as 'docker-compose.yml' and the files 'docker-compose.env'
-#   and '.env' into a folder.
-# - Run 'docker compose pull'.
-# - Run 'docker compose up -d'.
-#
-# For more extensive installation and update instructions, refer to the
-# documentation.
----
 services:
   broker:
     image: docker.io/library/redis:8
     restart: unless-stopped
     volumes:
       - redisdata:/data
+
   webserver:
     image: ghcr.io/paperless-ngx/paperless-ngx:latest
+    container_name: paperless-webserver
     restart: unless-stopped
     depends_on:
       - broker
       - gotenberg
       - tika
-    ports:
-      - "8000:8000"
     volumes:
       - /srv/paperless/data:/usr/src/paperless/data
       - /srv/paperless/media:/usr/src/paperless/media
-      - ./export:/usr/src/paperless/export
-      - ./consume:/usr/src/paperless/consume
-      - /etc/timezone:/etc/timezone
-      - /etc/localtime:/etc/localtime
+      - /srv/paperless/export:/usr/src/paperless/export
+      - /srv/paperless/consume:/usr/src/paperless/consume
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
     env_file: docker-compose.env
     environment:
       PAPERLESS_REDIS: redis://broker:6379
       PAPERLESS_TIKA_ENABLED: 1
       PAPERLESS_TIKA_GOTENBERG_ENDPOINT: http://gotenberg:3000
       PAPERLESS_TIKA_ENDPOINT: http://tika:9998
+    networks:
+      - default
+      - proxy
+
   gotenberg:
     image: docker.io/gotenberg/gotenberg:8.20
     restart: unless-stopped
@@ -66,10 +39,14 @@ services:
       - "gotenberg"
       - "--chromium-disable-javascript=true"
       - "--chromium-allow-list=file:///tmp/.*"
+
   tika:
     image: docker.io/apache/tika:latest
     restart: unless-stopped
+
 volumes:
-  data:
-  media:
-  redisdata:
+  redisdata:
+
+networks:
+  proxy:
+    external: true

semaphore/docker-compose.yml

@@ -21,6 +21,8 @@ services:
       SEMAPHORE_ADMIN: "${semaphore_admin}"
       SEMAPHORE_ACCESS_KEY_ENCRYPTION: "${encryption_key}"
       ANSIBLE_HOST_KEY_CHECKING: "false"
+      ANSIBLE_FORKS: 5
+      ANSIBLE_TIMEOUT: 20
     restart: unless-stopped
     volumes:
-      - ./config:/etc/semaphore:rw
+      - /srv/semaphore/config:/etc/semaphore:rw

spoolman/.gitignore

@@ -1 +0,0 @@
-data/

theftstack/docker-compose.transmission.yml

@@ -1,12 +1,15 @@
-version: "3"
+---
+x-common-env: &common-env
+  PUID: ${UID}
+  PGID: ${GID}
+  TZ: America/New_York
+
 services:
   sabnzbd:
     image: lscr.io/linuxserver/sabnzbd:latest
     container_name: sabnzbd
     environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=America/New_York
+      <<: *common-env
     volumes:
       - /config/.sabnzbd/:/config
       - /storage/theft/usenet:/data/theft/usenet
@@ -14,26 +17,24 @@ services:
       - 8080:8080
     network_mode: "host"
     restart: unless-stopped
+
   prowlarr:
     image: lscr.io/linuxserver/prowlarr:develop
     container_name: prowlarr
     environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=America/New_York
+      <<: *common-env
     volumes:
       - /config/.prowlarr:/config
     ports:
       - 9696:9696
     network_mode: "host"
     restart: unless-stopped
+
   radarr:
     image: lscr.io/linuxserver/radarr:latest
     container_name: radarr
     environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=America/New_York
+      <<: *common-env
     volumes:
       - /config/radarr_config:/config
       - /storage:/data
@@ -44,13 +45,12 @@ services:
     depends_on:
       - sabnzbd
       - prowlarr
+
   sonarr:
     image: lscr.io/linuxserver/sonarr:latest
     container_name: sonarr
     environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=America/New_York
+      <<: *common-env
     volumes:
       - /config/sonarr_config:/config
       - /storage:/data
@@ -61,13 +61,12 @@ services:
     depends_on:
       - sabnzbd
       - prowlarr
+
   lidarr:
     image: lscr.io/linuxserver/lidarr:latest
     container_name: lidarr
     environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=America/New_York
+      <<: *common-env
     volumes:
       - /config/lidarr_config:/config
       - /storage/theft/lidarr/MediaCover:/config/MediaCover
@@ -79,13 +78,12 @@ services:
     depends_on:
       - sabnzbd
       - prowlarr
+
   readarr:
     image: lscr.io/linuxserver/readarr:develop
     container_name: readarr
     environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=America/New_York
+      <<: *common-env
     volumes:
       - /config/readarr_config:/config
       - /storage:/data
@@ -103,10 +101,8 @@ services:
     ports:
       - 6969:6969
     environment:
-      - PUID=1000
-      - PGID=1000
-      - UMASK=002
-      - TZ=America/New_York
+      <<: *common-env
+      UMASK: 002
     volumes:
       - /config/whisparr:/config
       - /storage:/data
@@ -125,13 +121,12 @@ services:
       - /storage/:/data
       - /config/transmission:/config
     environment:
-      - PUID=1000
-      - PGID=1000
-      - OPENVPN_PROVIDER=PIA
-      - OPENVPN_CONFIG=us_east,us_new_york,us_florida,us_atlanta,us_chicago,us_silicon_valley,georgia,italy,lithuania
-      - OPENVPN_USERNAME=${OPENVPN_USER}
-      - OPENVPN_PASSWORD=${OPENVPN_PASS}
-      - LOCAL_NETWORK=10.0.69.96/27
+      <<: *common-env
+      OPENVPN_PROVIDER: PIA
+      OPENVPN_CONFIG: us_east,us_new_york,us_florida,us_atlanta,us_chicago,us_silicon_valley,georgia,italy,lithuania
+      OPENVPN_USERNAME: ${OPENVPN_USER}
+      OPENVPN_PASSWORD: ${OPENVPN_PASS}
+      LOCAL_NETWORK: 10.0.69.96/27
     restart: unless-stopped
     logging:
       driver: json-file
@@ -144,9 +139,9 @@ services:
     image: msroest/sabnzbd_exporter
     container_name: sabnzbd-exporter
     environment:
-      - SABNZBD_BASEURLS=http://dl.homelab.lan:8080/sabnzbd/
-      - SABNZBD_APIKEYS=${SABNZBD_APIKEY}
-      - TZ=America/Detroit
+      <<: *common-env
+      SABNZBD_BASEURLS: http://dl.homelab.lan:8080/sabnzbd/
+      SABNZBD_APIKEYS: ${SABNZBD_APIKEY}
     ports:
       - 9387:9387
     restart: always
@@ -157,6 +152,7 @@ services:
     image: ghcr.io/onedr0p/exportarr:latest
     command: ["sonarr"]
     environment:
+      <<: *common-env
       PORT: 9707
       URL: "http://dl.homelab.lan:8989"
       APIKEY: ${SONARR_APIKEY}
@@ -170,6 +166,7 @@ services:
     image: ghcr.io/onedr0p/exportarr:latest
     command: ["radarr"]
     environment:
+      <<: *common-env
       PORT: 9708
       URL: "http://dl.homelab.lan:7878"
       APIKEY: ${RADARR_APIKEY}
@@ -183,6 +180,7 @@ services:
     image: ghcr.io/onedr0p/exportarr:latest
     command: ["lidarr"]
     environment:
+      <<: *common-env
       PORT: 9709
       URL: "http://dl.homelab.lan:8686"
       APIKEY: ${LIDARR_APIKEY}
@@ -196,6 +194,7 @@ services:
     image: ghcr.io/onedr0p/exportarr:latest
     command: ["prowlarr"]
     environment:
+      <<: *common-env
       PORT: 9710
       URL: "http://dl.homelab.lan:9696"
       APIKEY: ${PROWLARR_APIKEY}
@@ -209,6 +208,7 @@ services:
     image: ghcr.io/onedr0p/exportarr:latest
     command: ["readarr"]
     environment:
+      <<: *common-env
       PORT: 9711
       URL: "http://dl.homelab.lan:8787"
       APIKEY: ${READARR_APIKEY}
@@ -225,5 +225,5 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
     restart: always
     environment:
+      <<: *common-env
       WATCHTOWER_CLEANUP: "true"
-      TZ: America/Detroit

uptime-kuma/docker-compose.yml

@@ -1,14 +1,17 @@
 ---
 services:
   uptime-kuma:
-    image: louislam/uptime-kuma:1
+    image: louislam/uptime-kuma:2
     container_name: uptime-kuma
+    network_mode: bridge
     volumes:
-      - ./data:/app/data
+      - /srv/uptime-kuma/data:/app/data
     ports:
-      - 3001:3001
+      - 127.0.0.1:3001:3001
     environment:
-      - UID
-      - GID
+      - UID=1000
+      - GID=1000
       - TZ=America/New_York
+      #- SSL_KEY=/data/privkey.pem
+      #- SSL_CERT=/etc/letsencrypt/live/status.charlesdanesi.com/fullchain.pem
     restart: unless-stopped

vaultwarden/docker-compose.yml

@@ -4,19 +4,26 @@ services:
     image: vaultwarden/server:latest
     container_name: vaultwarden
     restart: unless-stopped
+    network_mode: bridge
     environment:
       TZ: America/Detroit
       SIGNUPS_ALLOWED: "false"
       WEBSOCKET_ENABLED: "true"
-      ADMIN_TOKEN: "${ADMIN_TOKEN}"
+      # ADMIN_TOKEN: "${ADMIN_TOKEN}"
       DOMAIN: "${DOMAIN}"
       SHOW_PASSWORD_HINT: "false"
       USE_SYSLOG: "false"
-      LOG_FILE: /data/logs/vaultwarden.log
+      LOG_FILE: /var/log/vaultwarden/vaultwarden.log
       LOG_LEVEL: "warn"
       EXTENDED_LOGGING: "true"
     volumes:
-      - /root/docker/vault/data/:/data
+      - /srv/vaultwarden/data/:/data
+      - /var/log/vaultwarden:/var/log/vaultwarden
     ports:
       - 127.0.0.1:8090:80
-      - 127.0.0.1:3012:3012
+      - 127.0.0.1:3012:3012
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"

veloren/docker-compose.yml

@@ -10,7 +10,7 @@ services:
       - "14005:14005"
     restart: always
     volumes:
-      - "./userdata:/opt/userdata"
+      - "/srv/veloren/userdata:/opt/userdata"
     environment:
       - RUST_LOG=debug,common::net=info
 

zammad/docker-compose.yml

@@ -0,0 +1,227 @@
+---
+x-shared:
+  zammad-service: &zammad-service
+    environment: &zammad-environment
+      MEMCACHE_SERVERS: ${MEMCACHE_SERVERS:-zammad-memcached:11211}
+      POSTGRESQL_DB: ${POSTGRES_DB:-zammad_production}
+      POSTGRESQL_HOST: ${POSTGRES_HOST:-zammad-postgresql}
+      POSTGRESQL_USER: ${POSTGRES_USER:-zammad}
+      POSTGRESQL_PASS: ${POSTGRES_PASS:-zammad}
+      POSTGRESQL_PORT: ${POSTGRES_PORT:-5432}
+      POSTGRESQL_OPTIONS: ${POSTGRESQL_OPTIONS:-?pool=50}
+      POSTGRESQL_DB_CREATE:
+
+      REDIS_URL: ${REDIS_URL:-redis://zammad-redis:6379}
+      REDIS_SENTINELS:
+      REDIS_SENTINEL_NAME:
+      REDIS_USERNAME:
+      REDIS_PASSWORD:
+      REDIS_SENTINEL_USERNAME:
+      REDIS_SENTINEL_PASSWORD:
+
+      S3_URL:
+      BACKUP_DIR: "${BACKUP_DIR:-/var/tmp/zammad}"
+      BACKUP_TIME: "${BACKUP_TIME:-03:00}"
+      BACKUP_ON_START: "${BACKUP_ON_START:-true}"
+      HOLD_DAYS: "${HOLD_DAYS:-10}"
+      TZ: "${TZ:-Europe/Berlin}"
+
+      AUTOWIZARD_JSON:
+      AUTOWIZARD_RELATIVE_PATH:
+      ELASTICSEARCH_ENABLED:
+      ELASTICSEARCH_SCHEMA:
+      ELASTICSEARCH_HOST:
+      ELASTICSEARCH_PORT:
+      ELASTICSEARCH_USER:
+      ELASTICSEARCH_PASS:
+      ELASTICSEARCH_NAMESPACE:
+      ELASTICSEARCH_REINDEX:
+      NGINX_PORT:
+      NGINX_CLIENT_MAX_BODY_SIZE:
+      NGINX_SERVER_NAME:
+      NGINX_SERVER_SCHEME:
+      RAILS_TRUSTED_PROXIES:
+      ZAMMAD_HTTP_TYPE:
+      ZAMMAD_FQDN:
+      ZAMMAD_WEB_CONCURRENCY:
+      ZAMMAD_MANAGE_SESSIONS_JOBS_WORKERS:
+      ZAMMAD_PROCESS_SESSIONS_JOBS_WORKERS:
+      ZAMMAD_PROCESS_SCHEDULED_JOBS_WORKERS:
+      ZAMMAD_PROCESS_DELAYED_JOBS_WORKERS:
+      ZAMMAD_PROCESS_DELAYED_JOBS_WORKER_THREADS:
+      ZAMMAD_PROCESS_DELAYED_AI_JOBS_WORKERS:
+      ZAMMAD_PROCESS_DELAYED_AI_JOBS_WORKER_THREADS:
+      ZAMMAD_PROCESS_DELAYED_COMMUNICATION_INBOUND_JOBS_WORKERS:
+      ZAMMAD_PROCESS_DELAYED_COMMUNICATION_INBOUND_JOBS_WORKER_THREADS:
+      ZAMMAD_OTRS_IMPORT_READ_TIMEOUT:
+      ZAMMAD_OTRS_IMPORT_TOTAL_TIMEOUT:
+      ZAMMAD_HTTP_OPEN_TIMEOUT:
+      ZAMMAD_HTTP_READ_TIMEOUT:
+      ZAMMAD_HTTP_TOTAL_TIMEOUT:
+      ZAMMAD_HTTP_AI_READ_TIMEOUT:
+      ZAMMAD_HTTP_AI_TOTAL_TIMEOUT:
+      ZAMMAD_HTTP_ELASTICSEARCH_READ_TIMEOUT:
+      ZAMMAD_HTTP_ELASTICSEARCH_TOTAL_TIMEOUT:
+      ZAMMAD_HTTP_ELASTICSEARCH_REINDEX_READ_TIMEOUT:
+      ZAMMAD_HTTP_ELASTICSEARCH_REINDEX_TOTAL_TIMEOUT:
+      ZAMMAD_HTTP_IMPORT_ATTACHMENT_READ_TIMEOUT:
+      ZAMMAD_HTTP_IMPORT_ATTACHMENT_TOTAL_TIMEOUT:
+      ZAMMAD_HTTP_WEBHOOK_READ_TIMEOUT:
+      ZAMMAD_HTTP_WEBHOOK_TOTAL_TIMEOUT:
+
+      ZAMMAD_PROCESS_SESSIONS_JOBS_DISABLE:
+      ZAMMAD_MANAGE_SESSIONS_JOBS_DISABLE:
+      ZAMMAD_PROCESS_SCHEDULED_JOBS_DISABLE:
+      ZAMMAD_PROCESS_DELAYED_JOBS_DISABLE:
+      ZAMMAD_PROCESS_DELAYED_AI_JOBS_DISABLE:
+      ZAMMAD_PROCESS_DELAYED_COMMUNICATION_INBOUND_JOBS_DISABLE:
+
+      ZAMMAD_GRAPHQL_INTROSPECTION:
+      ZAMMAD_AI_API_URL:
+      ZAMMAD_AI_TOKEN:
+      ZAMMAD_UI_BULK_BACKGROUND_UPDATE_THRESHOLD:
+      ZAMMAD_SETTING_TTL:
+      ZAMMAD_SAFE_MODE:
+      ZAMMAD_WEBSOCKET_SESSION_STORE_FORCE_FS_BACKEND:
+      ZAMMAD_RAILSSERVER_PORT:
+
+      ZAMMAD_SESSION_JOBS_CONCURRENT:
+      VIRTUAL_HOST:
+      VIRTUAL_PORT:
+      LETSENCRYPT_HOST:
+      LETSENCRYPT_EMAIL:
+
+    # image: ${IMAGE_REPO:-ghcr.io/zammad/zammad}:${VERSION:-7.0.1-0053}
+    image: ghcr.io/zammad/zammad:6.5.0-101
+    restart: ${RESTART:-always}
+    env_file: .env
+    volumes:
+      - zammad-backup:/var/tmp/zammad:ro
+      - zammad-storage:/opt/zammad/storage
+    depends_on:
+      zammad-memcached:
+        condition: service_healthy
+      zammad-postgresql:
+        condition: service_healthy
+      zammad-redis:
+        condition: service_healthy
+
+services:
+  zammad-backup:
+    <<: *zammad-service
+    command: ["zammad-backup"]
+    volumes:
+      - zammad-backup:/var/tmp/zammad
+      - zammad-storage:/opt/zammad/storage
+    user: 0:0
+
+  zammad-elasticsearch:
+    image: elasticsearch:${ELASTICSEARCH_VERSION:-9.4.2}
+    restart: ${RESTART:-always}
+    volumes:
+      - elasticsearch-data:/usr/share/elasticsearch/data
+    environment:
+      discovery.type: single-node
+      xpack.security.enabled: "false"
+      ES_JAVA_OPTS: ${ELASTICSEARCH_JAVA_OPTS:--Xms1g -Xmx1g}
+
+  zammad-init:
+    <<: *zammad-service
+    command: ["zammad-init"]
+    depends_on:
+      zammad-postgresql:
+        condition: service_healthy
+    restart: on-failure
+    user: 0:0
+
+  zammad-memcached:
+    command: memcached -m 256M
+    image: memcached:${MEMCACHE_VERSION:-1.6.42-alpine}
+    restart: ${RESTART:-always}
+    healthcheck:
+      test: ["CMD", "nc", "-z", "127.0.0.1", "11211"]
+      interval: 10s
+      timeout: 5s
+      start_period: 10s
+      retries: 5
+
+  zammad-nginx:
+    <<: *zammad-service
+    command: ["zammad-nginx"]
+    expose:
+      - "${NGINX_PORT:-8080}"
+    networks:
+      - default
+      - proxy
+    depends_on:
+      zammad-railsserver:
+        condition: service_healthy
+
+  zammad-postgresql:
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB:-zammad_production}
+      POSTGRES_USER: ${POSTGRES_USER:-zammad}
+      POSTGRES_PASSWORD: ${POSTGRES_PASS:-zammad}
+    image: postgres:${POSTGRES_VERSION:-17.10-alpine}
+    restart: ${RESTART:-always}
+    volumes:
+      - postgresql-data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}"]
+      interval: 10s
+      timeout: 5s
+      start_period: 60s
+      retries: 5
+
+  zammad-railsserver:
+    <<: *zammad-service
+    command: ["zammad-railsserver"]
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "curl",
+          "-sf",
+          "http://127.0.0.1:${ZAMMAD_RAILSSERVER_PORT:-3000}",
+        ]
+      interval: 30s
+      timeout: 5s
+      start_period: 120s
+      retries: 3
+
+  zammad-redis:
+    image: redis:${REDIS_VERSION:-8.8.0-alpine}
+    restart: ${RESTART:-always}
+    volumes:
+      - redis-data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      start_period: 10s
+      retries: 5
+
+  zammad-scheduler:
+    <<: *zammad-service
+    command: ["zammad-scheduler"]
+
+  zammad-websocket:
+    <<: *zammad-service
+    command: ["zammad-websocket"]
+
+volumes:
+  elasticsearch-data:
+    driver: local
+  postgresql-data:
+    driver: local
+  redis-data:
+    driver: local
+  zammad-backup:
+    driver: local
+  zammad-storage:
+    driver: local
+
+networks:
+  proxy:
+    external: true
+