Docker compose.yaml based homelab

This is an opinionated homelab. It is a single server (can do more) that is GitOps'ed and version controlled Inside each folder is a compose.yaml file. Read the readme, and edit the .env.sample as needed. It can be used simply as individual containers and you can connect to and use each with its port and ip. However, following the guide here is the recomended way of running this homelab As the guide says, installing OS's, using Git and using Docker are prerequisites and fundamental knowlege.

---

todo:

• Setup Renovate to auto downlaod new images to Forgejo Registry.
• anubis + traefik --> wait for middlewares
• tinyauth oauth
• docker swarm with desktop for a beefer cpu?
• consistent order for compose files. i.e. image, then name, then volumes....etc...
• add healthchecks to lots

---

Adding a service:

./addservice.sh <server_name> <service_name>

Traefik

Sample yaml to add to a container to add it to Traefik

Change port and SUBDOMAIN as needed

    security_opt:
      - no-new-privileges:true  # helps to increase security
    networks:
      - intranet
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.SUBDOMAIN.entrypoints=http"
      - "traefik.http.routers.SUBDOMAIN.rule=Host(`SUBDOMAIN.${DOMAIN}`)"
      - "traefik.http.middlewares.SUBDOMAIN-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.SUBDOMAIN.middlewares=SUBDOMAIN-https-redirect"
      - "traefik.http.routers.SUBDOMAIN-secure.entrypoints=https"
      - "traefik.http.routers.SUBDOMAIN-secure.rule=Host(`SUBDOMAIN.${DOMAIN}`)"
      - "traefik.http.routers.SUBDOMAIN-secure.tls=true"
      - "traefik.http.routers.SUBDOMAIN-secure.service=SUBDOMAIN"
      - "traefik.http.services.SUBDOMAIN.loadbalancer.server.port=80"  # port of the service.
      - "traefik.docker.network=intranet"

networks:
  intranet:
    external: true

Additional security improvments: (these will break stuff)

    tmpfs:
      - '/tmp:size=64m'
    read_only: true
    cap_add:
      - NET_BIND_SERVICE
    cap_drop:
      - ALL
    init: true

To include something to TinyAuth:

      - "traefik.http.routers.SUBDOMAIN-secure.middlewares=tinyauth"

To use Anubis:

      - "traefik.http.routers.SUBDOMAIN.middlewares=anubis@docker"

To add to Homepage:

      - "homepage.group=Other"
      - "homepage.name=SUBDOMAIN"
      - "homepage.icon=/images/SUBDOMAIN.png"
      - "homepage.href=https://SUBDOMAIN.${DOMAIN}/"

Gluetun:

Sample yaml to add to a container connecting to Gluetun:

To add to Traefik, add this to gluetun/compose.yaml:

      - "traefik.http.routers.SUBDOMAIN.entrypoints=http"
      - "traefik.http.routers.SUBDOMAIN.rule=Host(`SUBDOMAIN.${DOMAIN}`)"
      - "traefik.http.middlewares.SUBDOMAIN-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.SUBDOMAIN.middlewares=SUBDOMAIN-https-redirect"
      - "traefik.http.routers.SUBDOMAIN-secure.entrypoints=https"
      - "traefik.http.routers.SUBDOMAIN-secure.rule=Host(`SUBDOMAIN.${DOMAIN}`)"
      - "traefik.http.routers.SUBDOMAIN-secure.tls=true"
      - "traefik.http.routers.SUBDOMAIN-secure.service=SUBDOMAIN"
      - "traefik.http.services.SUBDOMAIN.loadbalancer.server.port=8080"  # port of the service.

To add to homepage for SERVICE/compose.yaml:

    security_opt:
      - no-new-privileges:true  # helps to increase security
    network_mode: container:gluetun
    labels:
      - "homepage.group=SUBDOMAIN"
      - "homepage.name=SUBDOMAIN"
      - "homepage.icon=/images/SUBDOMAIN.png"
      - "homepage.href=https://SUBDOMAIN.${DOMAIN}/"