Default Komodo setup

Add Frigate+ API key to enable image annotation/upload
Adjust doorbell motion parameters
Adjust detect stationary threshold
Enable recording retention for all 3 days and 30 days for motion

authelia/config/authelia/configuration.yml

@@ -6,7 +6,19 @@ server:
 
 # Security https://www.authelia.com/configuration/security/access-control/
 access_control:
+  networks:
+  - name: 'internal'
+    networks:
+    - '192.168.1.0/24'
+    - '172.16.0.0/12'
   rules:
+  - domain: 'gitea.tremendousturtle.tools'
+    policy: bypass
+    networks:
+    - 'internal'
+    resources:
+    - '^/api([/?].*)?$'
+    - '^/v2([/?].*)?$'
   - domain: '*.tremendousturtle.tools'
     policy: two_factor
 

authentik/docker-compose.yml

@@ -30,7 +30,7 @@ services:
     volumes:
       - redis:/data
   app:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.3}
     restart: unless-stopped
     command: server
     environment:
@@ -42,6 +42,8 @@ services:
     networks:
       - proxy-net
       - default
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     volumes:
       - ./data/media:/media
       - ./config/custom-templates:/templates
@@ -50,13 +52,16 @@ services:
     ports:
       - "${COMPOSE_PORT_HTTP:-9000}:9000"
       - "${COMPOSE_PORT_HTTPS:-9443}:9443"
+    expose:
+      - "9000"
+      - "9443"
     depends_on:
       db:
         condition: service_healthy
       redis:
         condition: service_healthy
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.3}
     restart: unless-stopped
     command: worker
     environment:

caddy/config/Caddyfile

@@ -74,6 +74,46 @@
 		import ttt-proxy {args[1]} {args[2]}
 	}
 }
+(authentik) {
+	{args[0]}.tremendousturtle.tools {
+		import ttt-log {args[0]}
+		import tls
+		reverse_proxy authentik-app-1:9000 {
+			header_up X-Real-IP {http.request.header.CF-Connecting-IP}
+			header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
+		}
+	}
+}
+(redirect) {
+	{args[0]}.tremendousturtle.tools {
+		import tls
+		redir https://{args[1]}.tremendousturtle.tools{uri}
+	}
+}
+(authentik-forward) {
+	{args[0]}.tremendousturtle.tools {
+		import ttt-log {args[0]}
+		import tls
+		route {
+			# always forward outpost path to actual outpost
+			reverse_proxy /outpost.goauthentik.io/* http://authentik-app-1:9000
+
+			# forward authentication to outpost
+			forward_auth http://authentik-app-1:9000 {
+				uri /outpost.goauthentik.io/auth/caddy
+
+				# capitalization of the headers is important, otherwise they will be empty
+				copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+
+				# optional, in this config trust all private ranges, should probably be set to the outposts IP
+				trusted_proxies private_ranges
+			}
+
+			# actual site configuration below, for example
+			reverse_proxy {args[1]}:{args[2]}
+		}
+	}
+}
 
 # Web Config
 tremendousturtle.tools {
@@ -93,7 +133,7 @@ authentik.tremendousturtle.tools {
 
 # Define code.tremendousturtle.tools
 # Locally hosted non-docker apps (proxies to 192.168.1.234 instead of localhost)
-import ttt-app-local code 8020
+#import ttt-app-local code 8020
 import ttt-app-local pihole 1080
 import ttt-app-local sonarr 8989
 import ttt-app-local radarr 7878
@@ -101,11 +141,11 @@ import ttt-app-local prowlarr 9696
 import ttt-app-local cockpit 9090
 
 # Docker apps with same subdomain as docker compose project name
-import ttt-app frigate 8971
+#import ttt-app frigate 8971
 import ttt-app overseerr 5055
 import ttt-app openobserve 5080
-import ttt-app gitea 3000
-import ttt-app homepage 3000
+#import ttt-app gitea 3000
+#import ttt-app homepage 3000
 import ttt-app requestrr 4545
 
 # Alternate configuration (different subdomain and docker compose project name)
@@ -114,3 +154,12 @@ import ttt-app-alt trilium triliumnext-notes-app-1 8080
 import ttt-app-alt notes triliumnext-notes-app-1 8080
 import ttt-app-alt stash stashapp-app-1 9999
 import ttt-app-alt pihole1 192.168.1.116 80
+
+# Authentik Configs
+import authentik homepage
+import redirect home homepage
+
+import authentik frigate
+import authentik code
+import authentik gitea
+import authentik dozzle

caddy/docker-compose.yml

@@ -13,12 +13,10 @@ services:
       - "443:443"
       - "443:443/udp"
       - "2019:2019"
-    configs:
-      - source: caddyfile
-        target: /etc/caddy/Caddyfile
     volumes:
       - ./data/site:/srv
       - ./data/logs:/logs
+      - ./config:/etc/caddy
       - caddy_data:/data
       - caddy_config:/config
 
@@ -26,10 +24,6 @@ networks:
   proxy-net:
     external: true
 
-configs:
-  caddyfile:
-    file: ./Caddyfile
-
 volumes:
   caddy_data:
   caddy_config:

dozzle/docker-compose.yml

@@ -0,0 +1,19 @@
+name: dozzle
+services:
+  app:
+    image: amir20/dozzle:latest
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    expose:
+      - "8080"
+    environment:
+      DOZZLE_AUTH_PROVIDER: forward-proxy
+      DOZZLE_ENABLE_ACTIONS: true
+      DOZZLE_HOSTNAME: dozzle.tremendousturtle.tools
+    networks:
+      - proxy-net
+
+networks:
+  proxy-net:
+    external: true

frigate/config/config.yaml

@@ -4,7 +4,7 @@ auth:
 
 proxy:
   header_map:
-    user: Remote-User
+    user: X-Forwarded-Preferred-Username
 
 tls:
   enabled: false
@@ -38,8 +38,19 @@ objects:
   track:
     - person
     - car
+    - motorcycle
+    - bicycle
     - dog
     - cat
+    - license plate
+    - face
+    - amazon
+    - usps
+    - fedex
+    - ups
+    - package
+    - waste bin
+
 
 cameras:
   nw_garage:
@@ -108,8 +119,8 @@ cameras:
         - 0.79,0.003,0.79,0.035,0.82,0.035,0.82,0.003
         - 0.828,0.003,0.828,0.035,0.858,0.035,0.858,0.003
         - 0.866,0.003,0.866,0.035,0.896,0.035,0.896,0.003
-      threshold: 35
-      contour_area: 15
+      threshold: 30
+      contour_area: 18
       improve_contrast: true
 version: 0.14
 camera_groups:
@@ -128,4 +139,23 @@ camera_groups:
 detect:
   stationary:
     interval: 50
-    threshold: 40
+    threshold: 50
+
+snapshots:
+  enabled: True
+  retain:
+    default: 30
+
+record:
+  enabled: True
+  retain:
+    days: 3
+    mode: all
+  events:
+    retain:
+      default: 30
+      mode: motion
+
+telemetry:
+  stats:
+    network_bandwidth: True

frigate/docker-compose.yml

@@ -2,7 +2,11 @@ name: frigate
 services:
   app:
     restart: unless-stopped
-    image: ghcr.io/blakeblackshear/frigate:stable
+    #image: ghcr.io/blakeblackshear/frigate:stable
+    image: gitea.tremendousturtle.tools/chris/frigate:v0.14.1-web-admin-088ff992
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
     shm_size: "250mb"
     devices:
       - /dev/apex_0:/dev/apex_0 # Passes a PCIe Coral
@@ -20,12 +24,15 @@ services:
     networks:
       - proxy-net
     ports:
+      # - "8971:8971"
       - "8554:8554" # RTSP feeds
       - "8555:8555/tcp" # WebRTC over tcp
       - "8555:8555/udp" # WebRTC over udp
       - "5000:5000" # VS Code schema validation allowed
     expose:
       - "8971"
+    secrets:
+      - PLUS_API_KEY
     environment:
       LIBVA_DRIVER_NAME: "radeonsi" # FRIGATE_RTSP_PASSWORD: "69$nC*6$jADbc!"
     labels:
@@ -41,3 +48,7 @@ services:
 networks:
   proxy-net:
     external: true
+
+secrets:
+  PLUS_API_KEY:
+    file: ./secrets/PLUS_API_KEY

gitea/docker-compose.yml

@@ -17,6 +17,16 @@ services:
       GITEA__database__USER: ${GITEA_DB_USER}
       GITEA__database__PASSWD__FILE: /run/secrets/postgres_pass
       GITEA__server__SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE: gitea --config={{.CustomConf}} serv key-{{.Key.ID}}
+      GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION: true
+      GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION: true
+      GITEA__service__ENABLE_REVERSE_PROXY_EMAIL: true
+      GITEA__indexer__REPO_INDEXER_ENABLED: true
+      GITEA__indexer__REPO_INDEXER_PATH: indexers/repos.bleve
+      GITEA__indexer__MAX_FILE_SIZE: 1048576
+      GITEA__indexer__REPO_INDEXER_INCLUDE: ""
+      GITEA__indexer__REPO_INDEXER_EXCLUDE: resources/bin/**
+      GITEA__security__REVERSE_PROXY_LIMIT: 2
+      GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES: '172.31.0.0/16'
     restart: unless-stopped
     networks:
       - gitea

komodo/.env

@@ -0,0 +1,130 @@
+####################################
+# 🦎 KOMODO COMPOSE - VARIABLES 🦎 #
+####################################
+
+## These compose variables can be used with all Komodo deployment options.
+## Pass these variables to the compose up command using `--env-file komodo/compose.env`.
+## Additionally, they are passed to both Komodo Core and Komodo Periphery with `env_file: ./compose.env`,
+## so you can pass any additional environment variables to Core / Periphery directly in this file as well.
+
+## Stick to a specific version, or use `latest`
+COMPOSE_KOMODO_IMAGE_TAG=latest
+
+## Note: 🚨 Podman does NOT support local logging driver 🚨. See Podman options here:
+## `https://docs.podman.io/en/v4.6.1/markdown/podman-run.1.html#log-driver-driver`
+COMPOSE_LOGGING_DRIVER=local # Enable log rotation with the local driver.
+
+## DB credentials - Ignored for Sqlite
+DB_USERNAME=admin
+DB_PASSWORD=admin
+
+## Configure a secure passkey to authenticate between Core / Periphery.
+PASSKEY=a_random_passkey
+
+#=-------------------------=#
+#= Komodo Core Environment =#
+#=-------------------------=#
+
+## Full variable list + descriptions are available here:
+## 🦎 https://github.com/mbecker20/komodo/blob/main/config/core.config.toml 🦎
+
+## Note. Secret variables also support `${VARIABLE}_FILE` syntax to pass docker compose secrets.
+## Docs: https://docs.docker.com/compose/how-tos/use-secrets/#examples
+
+## Used for Oauth / Webhook url suggestion / Caddy reverse proxy.
+KOMODO_HOST=https://demo.komo.do
+## Displayed in the browser tab.
+KOMODO_TITLE=Komodo
+## Create a server matching this address as the "first server".
+## Use `https://host.docker.internal:8120` when using systemd-managed Periphery.
+KOMODO_FIRST_SERVER=https://periphery:8120
+## Make all buttons just double-click, rather than the full confirmation dialog.
+KOMODO_DISABLE_CONFIRM_DIALOG=false
+
+## Rate Komodo polls your servers for
+## status / container status / system stats / alerting.
+## Options: 1-sec, 5-sec, 15-sec, 1-min, 5-min.
+## Default: 15-sec
+KOMODO_MONITORING_INTERVAL="15-sec"
+## Rate Komodo polls Resources for updates,
+## like outdated commit hash.
+## Options: 1-min, 5-min, 15-min, 30-min, 1-hr.
+## Default: 5-min
+KOMODO_RESOURCE_POLL_INTERVAL="5-min"
+
+## Used to auth against periphery. Alt: KOMODO_PASSKEY_FILE
+KOMODO_PASSKEY=${PASSKEY}
+## Used to auth incoming webhooks. Alt: KOMODO_WEBHOOK_SECRET_FILE
+KOMODO_WEBHOOK_SECRET=a_random_secret
+## Used to generate jwt. Alt: KOMODO_JWT_SECRET_FILE
+KOMODO_JWT_SECRET=a_random_jwt_secret
+
+## Enable login with username + password.
+KOMODO_LOCAL_AUTH=true
+## Disable new user signups.
+KOMODO_DISABLE_USER_REGISTRATION=false
+## All new logins are auto enabled
+KOMODO_ENABLE_NEW_USERS=false
+## Disable non-admins from creating new resources.
+KOMODO_DISABLE_NON_ADMIN_CREATE=false
+## Allows all users to have Read level access to all resources.
+KOMODO_TRANSPARENT_MODE=false
+
+## Time to live for jwt tokens.
+## Options: 1-hr, 12-hr, 1-day, 3-day, 1-wk, 2-wk
+KOMODO_JWT_TTL="1-day"
+
+## OIDC Login
+KOMODO_OIDC_ENABLED=false
+## Must reachable from Komodo Core container
+# KOMODO_OIDC_PROVIDER=https://oidc.provider.internal/application/o/komodo
+## Change the host to one reachable be reachable by users (optional if it is the same as above).
+## DO NOT include the `path` part of the URL.
+# KOMODO_OIDC_REDIRECT_HOST=https://oidc.provider.external
+## Your client credentials
+# KOMODO_OIDC_CLIENT_ID= # Alt: KOMODO_OIDC_CLIENT_ID_FILE
+# KOMODO_OIDC_CLIENT_SECRET= # Alt: KOMODO_OIDC_CLIENT_SECRET_FILE
+## Make usernames the full email.
+# KOMODO_OIDC_USE_FULL_EMAIL=true
+## Add additional trusted audiences for token claims verification.
+## Supports comma separated list, and passing with _FILE (for compose secrets).
+# KOMODO_OIDC_ADDITIONAL_AUDIENCES=abc,123 # Alt: KOMODO_OIDC_ADDITIONAL_AUDIENCES_FILE
+
+## Github Oauth
+KOMODO_GITHUB_OAUTH_ENABLED=false
+# KOMODO_GITHUB_OAUTH_ID= # Alt: KOMODO_GITHUB_OAUTH_ID_FILE
+# KOMODO_GITHUB_OAUTH_SECRET= # Alt: KOMODO_GITHUB_OAUTH_SECRET_FILE
+
+## Google Oauth
+KOMODO_GOOGLE_OAUTH_ENABLED=false
+# KOMODO_GOOGLE_OAUTH_ID= # Alt: KOMODO_GOOGLE_OAUTH_ID_FILE
+# KOMODO_GOOGLE_OAUTH_SECRET= # Alt: KOMODO_GOOGLE_OAUTH_SECRET_FILE
+
+## Aws - Used to launch Builder instances and ServerTemplate instances.
+KOMODO_AWS_ACCESS_KEY_ID= # Alt: KOMODO_AWS_ACCESS_KEY_ID_FILE
+KOMODO_AWS_SECRET_ACCESS_KEY= # Alt: KOMODO_AWS_SECRET_ACCESS_KEY_FILE
+
+## Hetzner - Used to launch ServerTemplate instances
+## Hetzner Builder not supported due to Hetzner pay-by-the-hour pricing model
+KOMODO_HETZNER_TOKEN= # Alt: KOMODO_HETZNER_TOKEN_FILE
+
+#=------------------------------=#
+#= Komodo Periphery Environment =#
+#=------------------------------=#
+
+## Full variable list + descriptions are available here:
+## 🦎 https://github.com/mbecker20/komodo/blob/main/config/periphery.config.toml 🦎
+
+## Periphery passkeys must include KOMODO_PASSKEY to authenticate
+PERIPHERY_PASSKEYS=${PASSKEY}
+
+## Enable SSL using self signed certificates.
+## Connect to Periphery at https://address:8120.
+PERIPHERY_SSL_ENABLED=true
+
+## If the disk size is overreporting, can use one of these to 
+## whitelist / blacklist the disks to filter them, whichever is easier.
+## Accepts comma separated list of paths.
+## Usually whitelisting just /etc/hostname gives correct size.
+PERIPHERY_INCLUDE_DISK_MOUNTS=/etc/hostname
+# PERIPHERY_EXCLUDE_DISK_MOUNTS=/snap,/etc/repos

komodo/docker-compose.yml

@@ -0,0 +1,103 @@
+################################
+# 🦎 KOMODO COMPOSE - MONGO 🦎 #
+################################
+
+## This compose file will deploy:
+##   1. MongoDB
+##   2. Komodo Core
+##   3. Komodo Periphery
+
+name: komodo
+services:
+  db:
+    image: mongo
+    labels:
+      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
+    command: --quiet --wiredTigerCacheSizeGB 0.25
+    restart: unless-stopped
+    logging:
+      driver: ${COMPOSE_LOGGING_DRIVER:-local}
+    networks:
+      - default
+    # ports:
+    #   - 27017:27017
+    volumes:
+      - mongo-data:/data/db
+      - mongo-config:/data/configdb
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: ${DB_USERNAME}
+      MONGO_INITDB_ROOT_PASSWORD: ${DB_PASSWORD}
+  
+  core:
+    image: ghcr.io/mbecker20/komodo:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
+    labels:
+      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
+    restart: unless-stopped
+    depends_on:
+      - db
+    logging:
+      driver: ${COMPOSE_LOGGING_DRIVER:-local}
+    networks:
+      - default
+    ports:
+      - 9120:9120
+    env_file: ./compose.env
+    environment:
+      KOMODO_DATABASE_ADDRESS: db:27017
+      KOMODO_DATABASE_USERNAME: ${DB_USERNAME}
+      KOMODO_DATABASE_PASSWORD: ${DB_PASSWORD}
+    volumes:
+      ## Core cache for repos for latest commit hash / contents
+      - repo-cache:/repo-cache
+      ## Store sync files on server
+      # - /path/to/syncs:/syncs
+      ## Optionally mount a custom core.config.toml
+      # - /path/to/core.config.toml:/config/config.toml
+    ## Allows for systemd Periphery connection at 
+    ## "http://host.docker.internal:8120"
+    # extra_hosts:
+    #   - host.docker.internal:host-gateway
+
+  ## Deploy Periphery container using this block,
+  ## or deploy the Periphery binary with systemd using 
+  ## https://github.com/mbecker20/komodo/tree/main/scripts
+  periphery:
+    image: ghcr.io/mbecker20/periphery:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
+    labels:
+      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
+    restart: unless-stopped
+    logging:
+      driver: ${COMPOSE_LOGGING_DRIVER:-local}
+    networks:
+      - default
+    env_file: ./compose.env
+    volumes:
+      ## Mount external docker socket
+      - /var/run/docker.sock:/var/run/docker.sock
+      ## Allow Periphery to see processes outside of container
+      - /proc:/proc
+      ## use self signed certs in docker volume, 
+      ## or mount your own signed certs.
+      - ssl-certs:/etc/komodo/ssl
+      ## manage repos in a docker volume, 
+      ## or change it to an accessible host directory.
+      - repos:/etc/komodo/repos
+      ## manage stack files in a docker volume, 
+      ## or change it to an accessible host directory.
+      - stacks:/etc/komodo/stacks
+      ## Optionally mount a path to store compose files
+      # - /path/to/compose:/host/compose
+
+volumes:
+  # Mongo
+  mongo-data:
+  mongo-config:
+  # Core
+  repo-cache:
+  # Periphery
+  ssl-certs:
+  repos:
+  stacks:
+
+networks:
+  default: {}