update overseerr and stashapp config files in preparation for new branch creation

add Caddy Dockerfile to build image using xcaddy including cloudflare modules
docker-compose.yml file builds image instead of pulling it

.gitignore

@@ -5,3 +5,5 @@ stashapp/**/config.yml.*
 stashapp/**/icon.png
 requestrr/**/notifications.json
 logs/
+authentik/.env
+caddy/.env

authelia/docker-compose.yml

@@ -1,6 +1,6 @@
 name: "authelia"
 services:
-  app:
+  authelia:
     image: authelia/authelia:latest
     restart: unless-stopped
     depends_on:
@@ -8,6 +8,9 @@ services:
       - redis
     volumes:
       - ./config/authelia:/config
+    networks:
+      - proxy-net
+      - default
     ports:
       - "9091:9091"
     environment:
@@ -67,6 +70,10 @@ services:
     secrets:
       - redis_pass
 
+networks:
+  proxy-net:
+    external: true
+
 secrets:
   postgres_pass:
     file: ./secrets/POSTGRES_PASS

authentik/docker-compose.yml

@@ -0,0 +1,96 @@
+name: authentik
+services:
+  postgresql:
+    image: docker.io/library/postgres:16-alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
+      POSTGRES_USER: ${PG_USER:-authentik}
+      POSTGRES_DB: ${PG_DB:-authentik}
+    env_file:
+      - .env
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - redis:/data
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.2}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+    networks:
+      - proxy-net
+      - default
+    volumes:
+      - ./data/media:/media
+      - ./config/custom-templates:/templates
+    env_file:
+      - .env
+    ports:
+      - "${COMPOSE_PORT_HTTP:-9000}:9000"
+      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.2}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./data/media:/media
+      - ./data/certs:/certs
+      - ./config/custom-templates:/templates
+    env_file:
+      - .env
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+
+volumes:
+  database:
+    driver: local
+  redis:
+    driver: local
+
+networks:
+  proxy-net:
+    external: true

caddy/Caddyfile

@@ -0,0 +1,118 @@
+# Global Config
+{
+	email certs@tremendousturtle.tools
+	default_sni tremendousturtle.tools
+	acme_ca https://acme-v02.api.letsencrypt.org/directory
+	admin localhost:2019
+	# debug
+	# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
+
+	servers {
+		trusted_proxies cloudflare {
+			interval 12h
+			timeout 15s
+		}
+		client_ip_headers Cf-Connecting-Ip X-Forwarded-For X-Real-IP
+	}
+}
+
+# Global Reusable Blocks
+(tls) {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_TOKEN}
+			api_token {env.CF_API_TOKEN}
+		}
+	}
+}
+(secure) {
+	forward_auth {args[0]} authelia:9091 {
+		uri /api/authz/forward-auth
+		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+	}
+}
+(secure-external) {
+	forward_auth {args[0]} https://auth.tremendousturtle.tools {
+		uri /api/authz/forward-auth
+		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+		header_up Host {upstream_hostport}
+	}
+}
+(ttt-log) {
+	log {
+		output file /logs/{args[0]}.tremendousturtle.tools.log
+	}
+}
+(ttt-proxy) {
+	reverse_proxy {args[0]}:{args[1]} {
+		header_up X-Real-IP {http.request.header.CF-Connecting-IP}
+		header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
+	}
+}
+(ttt-app) {
+	{args[0]}.tremendousturtle.tools {
+		import ttt-log {args[0]}
+		import tls
+		import secure *
+		import ttt-proxy {args[0]} {args[1]}
+	}
+}
+(ttt-app-alt) {
+	{args[0]}.tremendousturtle.tools {
+		import ttt-log {args[0]}
+		import tls
+		import secure *
+		import ttt-proxy {args[1]} {args[2]}
+	}
+}
+
+# Web Config
+tremendousturtle.tools {
+	import tls
+	respond "I'm Alive!"
+}
+
+auth.tremendousturtle.tools {
+	import tls
+	reverse_proxy 127.0.0.1:9091
+}
+
+authentik.tremendousturtle.tools {
+	import tls
+	reverse_proxy 127.0.0.1:9000
+}
+
+# Define code.tremendousturtle.tools
+import ttt-app code 8020
+
+import ttt-app frigate 8971
+
+import ttt-app pihole 1080
+
+import ttt-app stash 9999
+
+import ttt-app sonarr 8989
+
+import ttt-app radarr 7878
+
+import ttt-app overseerr 5055
+
+import ttt-app prowlarr 9696
+
+import ttt-app openobserve 5080
+
+import ttt-app cockpit 9090
+
+import ttt-app budget 5006
+
+import ttt-app gitea 3000
+
+import ttt-app trilium 8040
+
+import ttt-app notes 8040
+
+import ttt-app-alt pihole1 192.168.1.116 80
+
+import ttt-app homepage 3001
+
+

caddy/Dockerfile

@@ -0,0 +1,9 @@
+FROM caddy:2.9.1-builder AS builder
+
+RUN xcaddy build \
+    --with github.com/caddy-dns/cloudflare \
+    --with github.com/WeidiDeng/caddy-cloudflare-ip
+
+FROM caddy:2.9.1
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy

caddy/docker-compose.yml

@@ -0,0 +1,32 @@
+name: caddy
+services:
+  caddy:
+    build: .
+    restart: unless-stopped
+    networks:
+      - proxy-net
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+      - "2019:2019"
+    configs:
+      - source: caddyfile
+        target: /etc/caddy/Caddyfile
+    volumes:
+      - ./data/site:/srv
+      - ./data/logs:/logs
+      - caddy_data:/data
+      - caddy_config:/config
+
+networks:
+  proxy-net:
+    external: true
+
+configs:
+  caddyfile:
+    file: ./Caddyfile
+
+volumes:
+  caddy_data:
+  caddy_config:

overseerr/config/settings.json

@@ -33,21 +33,21 @@
     "name": "4k Movies",
     "enabled": true,
     "type": "movie",
-    "lastScan": 1734342000015
+    "lastScan": 1736750700022
    },
    {
     "id": "2",
     "name": "Movies",
     "enabled": true,
     "type": "movie",
-    "lastScan": 1734342000024
+    "lastScan": 1736750700033
    },
    {
     "id": "1",
     "name": "TV Shows",
     "enabled": true,
     "type": "show",
-    "lastScan": 1734342000067
+    "lastScan": 1736750700074
    }
   ],
   "machineId": "5e16f8ceb511bde943f92bbe07e3e6e33307eb16"