Update settings.json for oversseerr

Change any port changes in docker-compose files to use expose and the default port instead of 3001:3000
Any localhost limited ports changed to expose instead
Add requestrr to caddyfile

.gitignore

@@ -5,3 +5,5 @@ stashapp/**/config.yml.*
 stashapp/**/icon.png
 requestrr/**/notifications.json
 logs/
+authentik/.env
+caddy/.env

actual-server/docker-compose.yml

@@ -1,10 +1,15 @@
+name: actual-server
 services:
-  actual_server:
+  app:
     image: docker.io/actualbudget/actual-server:latest
-    ports:
+    networks:
+      - proxy-net
+    #ports:
       # This line makes Actual available at port 5006 of the device you run the server on,
       # i.e. http://localhost:5006. You can change the first number to change the port, if you want.
-      - '5006:5006'
+    #  - '5006:5006'
+    expose:
+      - "5006"
     #environment:
       # - ACTUAL_LOGIN_METHOD=header
       # Uncomment any of the lines below to set configuration options.
@@ -21,3 +26,7 @@ services:
       # '/data' is the path Actual will look for its files in by default, so leave that as-is.
       - ./data:/data
     restart: unless-stopped
+
+networks:
+  proxy-net:
+    external: true

authelia/docker-compose.yml

@@ -1,4 +1,4 @@
-name: "authelia"
+name: authelia
 services:
   app:
     image: authelia/authelia:latest
@@ -8,6 +8,9 @@ services:
       - redis
     volumes:
       - ./config/authelia:/config
+    networks:
+      - proxy-net
+      - default
     ports:
       - "9091:9091"
     environment:
@@ -22,9 +25,9 @@ services:
       AUTHELIA_AUTHENTICATION_BACKEND_FILE_PATH: /run/secrets/users_database
       AUTHELIA_TOTP_ISSUER: tremendousturtle.tools
       AUTHELIA_ACCESS_CONTROL_DEFAULT_POLICY: deny
-      AUTHELIA_SESSION_REDIS_HOST: redis
+      AUTHELIA_SESSION_REDIS_HOST: authelia-redis-1
       AUTHELIA_SESSION_REDIS_PORT: 6379
-      AUTHELIA_STORAGE_POSTGRES_ADDRESS: tcp://database:5432
+      AUTHELIA_STORAGE_POSTGRES_ADDRESS: tcp://authelia-database-1:5432
       AUTHELIA_STORAGE_POSTGRES_DATABASE: authelia
       AUTHELIA_STORAGE_POSTGRES_USERNAME: authelia
       AUTHELIA_NOTIFIER_SMTP_ADDRESS: submissions://smtp.mailgun.org:465
@@ -67,6 +70,10 @@ services:
     secrets:
       - redis_pass
 
+networks:
+  proxy-net:
+    external: true
+
 secrets:
   postgres_pass:
     file: ./secrets/POSTGRES_PASS

authentik/docker-compose.yml

@@ -0,0 +1,96 @@
+name: authentik
+services:
+  db:
+    image: docker.io/library/postgres:16-alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
+      POSTGRES_USER: ${PG_USER:-authentik}
+      POSTGRES_DB: ${PG_DB:-authentik}
+    env_file:
+      - .env
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - redis:/data
+  app:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.2}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: authentik-redis-1
+      AUTHENTIK_POSTGRESQL__HOST: authentik-db-1
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+    networks:
+      - proxy-net
+      - default
+    volumes:
+      - ./data/media:/media
+      - ./config/custom-templates:/templates
+    env_file:
+      - .env
+    ports:
+      - "${COMPOSE_PORT_HTTP:-9000}:9000"
+      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
+    depends_on:
+      db:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.2}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: authentik-redis-1
+      AUTHENTIK_POSTGRESQL__HOST: authentik-db-1
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./data/media:/media
+      - ./data/certs:/certs
+      - ./config/custom-templates:/templates
+    env_file:
+      - .env
+    depends_on:
+      db:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+
+volumes:
+  database:
+    driver: local
+  redis:
+    driver: local
+
+networks:
+  proxy-net:
+    external: true

caddy/Caddyfile

@@ -0,0 +1,116 @@
+# Global Config
+{
+	email certs@tremendousturtle.tools
+	default_sni tremendousturtle.tools
+	acme_ca https://acme-v02.api.letsencrypt.org/directory
+	admin :2019
+	# debug
+	# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
+
+	servers {
+		trusted_proxies cloudflare {
+			interval 12h
+			timeout 15s
+		}
+		client_ip_headers Cf-Connecting-Ip X-Forwarded-For X-Real-IP
+	}
+}
+
+# Global Reusable Blocks
+(tls) {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_TOKEN}
+			api_token {env.CF_API_TOKEN}
+		}
+		resolvers 1.1.1.1 1.0.0.1
+	}
+}
+(secure) {
+	forward_auth {args[0]} authelia-app-1:9091 {
+		uri /api/authz/forward-auth
+		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+	}
+}
+(secure-external) {
+	forward_auth {args[0]} https://auth.tremendousturtle.tools {
+		uri /api/authz/forward-auth
+		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+		header_up Host {upstream_hostport}
+	}
+}
+(ttt-log) {
+	log {
+		output file /logs/{args[0]}.tremendousturtle.tools.log
+	}
+}
+(ttt-proxy) {
+	reverse_proxy {args[0]}:{args[1]} {
+		header_up X-Real-IP {http.request.header.CF-Connecting-IP}
+		header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
+	}
+}
+(ttt-app) {
+	{args[0]}.tremendousturtle.tools {
+		import ttt-log {args[0]}
+		import tls
+		import secure *
+		import ttt-proxy {args[0]}-app-1 {args[1]}
+	}
+}
+(ttt-app-local) {
+	{args[0]}.tremendousturtle.tools {
+		import ttt-log {args[0]}
+		import tls
+		import secure *
+		import ttt-proxy host.docker.internal {args[1]}
+	}
+}
+(ttt-app-alt) {
+	{args[0]}.tremendousturtle.tools {
+		import ttt-log {args[0]}
+		import tls
+		import secure *
+		import ttt-proxy {args[1]} {args[2]}
+	}
+}
+
+# Web Config
+tremendousturtle.tools {
+	import tls
+	respond "I'm Alive!"
+}
+
+auth.tremendousturtle.tools {
+	import tls
+	reverse_proxy authelia-app-1:9091
+}
+
+authentik.tremendousturtle.tools {
+	import tls
+	reverse_proxy authentik-app-1:9000
+}
+
+# Define code.tremendousturtle.tools
+# Locally hosted non-docker apps (proxies to 192.168.1.234 instead of localhost)
+import ttt-app-local code 8020
+import ttt-app-local pihole 1080
+import ttt-app-local sonarr 8989
+import ttt-app-local radarr 7878
+import ttt-app-local prowlarr 9696
+import ttt-app-local cockpit 9090
+
+# Docker apps with same subdomain as docker compose project name
+import ttt-app frigate 8971
+import ttt-app overseerr 5055
+import ttt-app openobserve 5080
+import ttt-app gitea 3000
+import ttt-app homepage 3000
+import ttt-app requestrr 4545
+
+# Alternate configuration (different subdomain and docker compose project name)
+import ttt-app-alt budget actual-server-app-1 5006
+import ttt-app-alt trilium triliumnext-notes-app-1 8080
+import ttt-app-alt notes triliumnext-notes-app-1 8080
+import ttt-app-alt stash stashapp-app-1 9999
+import ttt-app-alt pihole1 192.168.1.116 80

caddy/Dockerfile

@@ -0,0 +1,9 @@
+FROM caddy:2.9.1-builder AS builder
+
+RUN xcaddy build \
+    --with github.com/caddy-dns/cloudflare \
+    --with github.com/WeidiDeng/caddy-cloudflare-ip
+
+FROM caddy:2.9.1
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy

caddy/docker-compose.yml

@@ -0,0 +1,35 @@
+name: caddy
+services:
+  app:
+    build: .
+    restart: unless-stopped
+    env_file: .env
+    networks:
+      - proxy-net
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+      - "2019:2019"
+    configs:
+      - source: caddyfile
+        target: /etc/caddy/Caddyfile
+    volumes:
+      - ./data/site:/srv
+      - ./data/logs:/logs
+      - caddy_data:/data
+      - caddy_config:/config
+
+networks:
+  proxy-net:
+    external: true
+
+configs:
+  caddyfile:
+    file: ./Caddyfile
+
+volumes:
+  caddy_data:
+  caddy_config:

cloudflared/docker-compose.yml

@@ -0,0 +1,16 @@
+name: cloudflared
+services:
+  app:
+    image: cloudflare/cloudflared:latest
+    volumes:
+      - ./config:/etc/cloudflared
+    command: tunnel --no-autoupdate run --token eyJhIjoiNjhmNjVkYzZkNDgzODZkMTMwNTk2ODk4ZThjNzVhODMiLCJ0IjoiYmNkMjg3OGYtYTRmYi00OWJmLTk0MGMtMzFkYWE2ZDkyNjIwIiwicyI6Ill6STNNbUUwT0RrdE4yWmhaaTAwWWpZM0xXRTFaRFF0TkdWa09HTmpOVFEwTnpRdyJ9
+    restart: unless-stopped
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    networks:
+     - proxy-net
+
+networks:
+  proxy-net:
+    external: true

frigate/docker-compose.yml

@@ -1,6 +1,6 @@
+name: frigate
 services:
-  frigate:
-    container_name: frigate
+  app:
     restart: unless-stopped
     image: ghcr.io/blakeblackshear/frigate:stable
     shm_size: "250mb"
@@ -17,12 +17,15 @@ services:
         target: /tmp/cache
         tmpfs:
           size: 4000000000
+    networks:
+      - proxy-net
     ports:
-      - "8971:8971"
       - "8554:8554" # RTSP feeds
       - "8555:8555/tcp" # WebRTC over tcp
       - "8555:8555/udp" # WebRTC over udp
       - "5000:5000" # VS Code schema validation allowed
+    expose:
+      - "8971"
     environment:
       LIBVA_DRIVER_NAME: "radeonsi" # FRIGATE_RTSP_PASSWORD: "69$nC*6$jADbc!"
     labels:
@@ -32,5 +35,9 @@ services:
       - homepage.href=https://frigate.tremendousturtle.tools/
       - homepage.description=Camera Surveillance
       - homepage.widget.type=frigate
-      - homepage.widget.url=http://192.168.1.234:5000
+      - homepage.widget.url=http://frigate-app-1:5000
       - homepage.widget.enableRecentEvents=true
+
+networks:
+  proxy-net:
+    external: true

gitea/docker-compose.yml

@@ -1,30 +1,35 @@
 networks:
   gitea:
     external: false
+  proxy-net:
+    external: true
 
+name: gitea
 services:
-  server:
+  app:
     image: gitea/gitea:latest
     environment:
       USER_UID: 141
       USER_GID: 150
       GITEA__database__DB_TYPE: postgres
-      GITEA__database__HOST: db:5432
+      GITEA__database__HOST: gitea-db-1:5432
       GITEA__database__NAME: ${GITEA_DB_NAME}
       GITEA__database__USER: ${GITEA_DB_USER}
       GITEA__database__PASSWD__FILE: /run/secrets/postgres_pass
       GITEA__server__SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE: gitea --config={{.CustomConf}} serv key-{{.Key.ID}}
-    restart: always
+    restart: unless-stopped
     networks:
       - gitea
+      - proxy-net
     volumes:
       - ./data/gitea:/data
       - /home/git/.ssh/:/data/git/.ssh
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
     ports:
-      - "3000:3000"
       - "127.0.0.1:2222:22"
+    expose:
+      - "3000"
     depends_on:
       - db
     secrets:
@@ -32,7 +37,7 @@ services:
 
   db:
     image: postgres:14
-    restart: always
+    restart: unless-stopped
     environment:
       POSTGRES_USER: ${GITEA_DB_USER}
       POSTGRES_PASSWORD_FILE: /run/secrets/postgres_pass

homepage/docker-compose.yml

@@ -6,8 +6,11 @@ services:
       - dockerproxy
     environment:
       DOCKER_TEMPLATE_CREATED: true
-    ports:
-      - "3001:3000"
+    expose:
+      - "3000"
+    networks:
+      - proxy-net
+      - default
     restart: unless-stopped
     volumes:
       - ./config:/app/config # Make sure your local config directory exists
@@ -19,8 +22,12 @@ services:
       - SERVICES=1 # Allow access to viewing services (necessary when using Docker Swarm)
       - TASKS=1 # Allow access to viewing tasks (necessary when using Docker Swarm)
       - POST=0 # Disallow any POST operations (effectively read-only)
-    ports:
-      - "127.0.0.1:2375:2375"
+    expose:
+      - "2375"
     restart: unless-stopped
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro # Mounted as read-only
+
+networks:
+  proxy-net:
+    external: true

openobserve/docker-compose.yml

@@ -16,9 +16,13 @@ services:
     restart: unless-stopped
     depends_on:
       - db
+    networks:
+      - proxy-net
+      - default
     ports:
-      - "5080:5080"
       - "5514:5514"
+    expose:
+      - "5080"
     env_file: ./secrets/openobserve.env
     environment:
       ZO_DATA_DIR: /data
@@ -31,6 +35,10 @@ services:
       - ./data/openobserve:/data
       - ./data/stream:/stream
 
+networks:
+  proxy-net:
+    external: true
+
 secrets:
   postgres_pass:
     file: ./secrets/POSTGRES_PASS

orbital-sync/docker-compose.yml

@@ -1,6 +1,10 @@
+name: orbital-sync
 services:
-  orbital-sync:
+  app:
     image: mattwebbio/orbital-sync:1
+    restart: unless-stopped
+    networks:
+      - proxy-net
     environment:
       PRIMARY_HOST_BASE_URL: 'http://192.168.1.234:1080'
       PRIMARY_HOST_PASSWORD: ""
@@ -8,3 +12,7 @@ services:
       SECONDARY_HOSTS_1_PASSWORD: 'e8JBq59!pwM6Ppj'
       INTERVAL_MINUTES: 60
       VERBOSE: true
+
+networks:
+  proxy-net:
+    external: true

overseerr/config/settings.json

@@ -33,21 +33,21 @@
     "name": "4k Movies",
     "enabled": true,
     "type": "movie",
-    "lastScan": 1734342000015
+    "lastScan": 1736797500041
    },
    {
     "id": "2",
     "name": "Movies",
     "enabled": true,
     "type": "movie",
-    "lastScan": 1734342000024
+    "lastScan": 1736797500057
    },
    {
     "id": "1",
     "name": "TV Shows",
     "enabled": true,
     "type": "show",
-    "lastScan": 1734342000067
+    "lastScan": 1736797500105
    }
   ],
   "machineId": "5e16f8ceb511bde943f92bbe07e3e6e33307eb16"

overseerr/docker-compose.yml

@@ -1,14 +1,23 @@
+name: overseerr
 services:
-  overseerr:
+  app:
     image: sctx/overseerr:latest
-    container_name: overseerr
     user: '115'
     environment:
       - LOG_LEVEL=debug
       - TZ=America/Los_Angeles
+    networks:
+      - proxy-net
+      - default
     ports:
-      - 5055:5055
+      - "5055:5055"
+    expose:
+      - "5055"
     volumes:
       - ./data:/app/config
       - ./config/settings.json:/app/config/settings.json
     restart: unless-stopped
+
+networks:
+  proxy-net:
+    external: true

requestrr/docker-compose.yml

@@ -1,11 +1,18 @@
+name: requestrr
 services:
-  requestrr:
+  app:
     image: thomst08/requestrr
-    hostname: requestrr
-    container_name: requestrr
+    networks:
+      - proxy-net
     ports:
-    - 4545:4545
+      - "4545:4545"
+    expose:
+      - "4545"
     volumes:
       - ./config:/root/config
       - ./data/tmp:/root/config/tmp
     restart: unless-stopped
+
+networks:
+  proxy-net:
+    external: true

stashapp/docker-compose.yml

@@ -1,13 +1,17 @@
 # APPNICENAME=Stash
 # APPDESCRIPTION=An organizer for your porn, written in Go
+name: stashapp
 services:
-  stash:
+  app:
     image: stashapp/stash:latest
-    container_name: stash
     restart: unless-stopped
     ## the container's port must be the same with the STASH_PORT in the environment section
+    networks:
+      - proxy-net
     ports:
       - "9999:9999"
+    expose:
+      - "9999"
     ## If you intend to use stash's DLNA functionality uncomment the below network mode and comment out the above ports section
     # network_mode: host
     logging:
@@ -49,3 +53,7 @@ services:
       - ./data/db:/db
       ## Where to store generated content (screenshots,previews,transcodes,sprites)
       - /media/stashapp/generated:/generated
+
+networks:
+  proxy-net:
+    external: true

triliumnext-notes/docker-compose.yml

@@ -6,9 +6,15 @@ services:
     volumes:
       - ./data:/home/node/trilium-data
       - ./config:/home/node/trilium-config
-    ports:
-      - "127.0.0.1:8040:8080"
+    expose:
+      - "8080"
+    networks:
+      - proxy-net
     environment:
       USER_UID: 1000
       USER_GID: 1000
       TRILIUM_CONFIG_INI_PATH: /home/node/trilium-config/config.ini
+
+networks:
+  proxy-net:
+    external: true