ulfr/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Rafał
2026-02-23 17:46:11 +01:00
commit 4b7a8dce28
12 changed files with 313 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@@ -0,0 +1,2 @@
.env
.DS_Store

0
README.md Normal file
View File

3
stacks/authentik/.env.example Normal file
View File

@@ -0,0 +1,3 @@
AUTHENTIK_DOMAIN=
PG_DB=
PG_USER=

95
stacks/authentik/docker-compose.yml Normal file
View File

@@ -0,0 +1,95 @@
services:
db:
image: postgres@sha256:035b9ab53cfa147d7202b61f5f7782b939ae815b7d6bc81c96b7b42ff1fca950
container_name: authentik-db
restart: unless-stopped
env_file:
- .env
environment:
POSTGRES_DB: ${PG_DB}
POSTGRES_USER: ${PG_USER}
POSTGRES_PASSWORD_FILE: /run/secrets/pg_pass
volumes:
- authentik_database:/var/lib/postgresql/data
networks:
- authentik_internal
secrets:
- pg_pass
healthcheck:
interval: 30s
retries: 5
start_period: 20s
test:
- CMD-SHELL
- pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
timeout: 5s
server:
image: ghcr.io/goauthentik/server:2025.12.4@sha256:61eb50cfededf2ecc0ef483b497746db96d18934d440d7d55f6baa41977d8e85
container_name: authentik-server
restart: unless-stopped
command: server
depends_on:
db:
condition: service_healthy
env_file:
- .env
environment:
AUTHENTIK_POSTGRESQL__HOST: db
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB}
AUTHENTIK_POSTGRESQL__USER: ${PG_USER}
AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/pg_pass
AUTHENTIK_SECRET_KEY: file:///run/secrets/authentik_secret_key
volumes:
- authentik_data:/data
networks:
- authentik_internal
- homelab_apps
secrets:
- pg_pass
- authentik_secret_key
labels:
- traefik.enable=true
- traefik.docker.network=homelab_apps
- traefik.http.routers.authentik.rule=Host(`${AUTHENTIK_DOMAIN}`)
- traefik.http.routers.authentik.entrypoints=websecure
- traefik.http.routers.authentik.tls=true
- traefik.http.routers.authentik.tls.certresolver=le
- traefik.http.services.authentik.loadbalancer.server.port=9000
worker:
image: ghcr.io/goauthentik/server:2025.12.4@sha256:61eb50cfededf2ecc0ef483b497746db96d18934d440d7d55f6baa41977d8e85
container_name: authentik-worker
restart: unless-stopped
command: worker
depends_on:
db:
condition: service_healthy
env_file:
- .env
environment:
AUTHENTIK_POSTGRESQL__HOST: db
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB}
AUTHENTIK_POSTGRESQL__USER: ${PG_USER}
AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/pg_pass
AUTHENTIK_SECRET_KEY: file:///run/secrets/authentik_secret_key
volumes:
- authentik_data:/data
networks:
- authentik_internal
secrets:
- pg_pass
- authentik_secret_key
volumes:
authentik_database:
driver: local
authentik_data:
driver: local
networks:
authentik_internal:
internal: true
homelab_apps:
external: true
secrets:
pg_pass:
file: ./secrets/pg_pass.txt
authentik_secret_key:
file: ./secrets/authentik_secret_key.txt

1
stacks/dockhand/.env.example Normal file
View File

@@ -0,0 +1 @@
DOCKHAND_DOMAIN=

37
stacks/dockhand/docker-compose.yaml Normal file
View File

@@ -0,0 +1,37 @@
services:
dockhand:
image: fnsys/dockhand@sha256:546e7ab26146a64fe93f5f421d3f73914f495a84bfdb87bc3ff3a199388f44a2
container_name: dockhand
restart: unless-stopped
env_file:
- .env
environment:
- ENCRYPTION_KEY_PATH=/run/secrets/encryption_key
- DISABLE_LOCAL_LOGIN=true
networks:
- homelab_apps
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- dockhand_data:/app/data
secrets:
- encryption_key
labels:
- "traefik.enable=true"
- "traefik.docker.network=homelab_apps"
- "traefik.http.routers.dockhand.rule=Host(`${DOCKHAND_DOMAIN}`)"
- "traefik.http.routers.dockhand.entrypoints=websecure"
- "traefik.http.routers.dockhand.tls=true"
- "traefik.http.routers.dockhand.tls.certresolver=le"
- "traefik.http.services.dockhand.loadbalancer.server.port=3000"
volumes:
dockhand_data:
driver: local
networks:
homelab_apps:
external: true
secrets:
encryption_key:
file: ./secrets/dockhand_encryption_key.txt

1
stacks/gitea/.env.example Normal file
View File

@@ -0,0 +1 @@
GITEA_DOMAIN=

89
stacks/gitea/docker-compose.yaml Normal file
View File

@@ -0,0 +1,89 @@
services:
server:
image: gitea/gitea@sha256:1926e89ad28358ef2146bb8a1b9c3ba24bae681cb02b72d2df11125fdc675abe
container_name: gitea
restart: unless-stopped
depends_on:
db:
condition: service_healthy
env_file:
- .env
environment:
- GITEA__database__DB_TYPE=postgres
- GITEA__database__HOST=db:5432
- GITEA__database__NAME=gitea
- GITEA__database__USER=gitea
- GITEA__database__PASSWD_FILE=/run/secrets/gitea_db_password
- GITEA__server__DOMAIN=${GITEA_DOMAIN}
- GITEA__server__ROOT_URL=https://${GITEA_DOMAIN}
- GITEA__server__SSH_PORT=2222
- GITEA__server__SSH_LISTEN_PORT=2222
- GITEA__service__DISABLE_REGISTRATION=true
- GITEA__service__ENABLE_BASIC_AUTHENTICATION=false
- GITEA__service__ENABLE_PASSWORD_SIGNIN_FORM=false
- GITEA__service__ENABLE_PASSKEY_AUTHENTICATION=false
- GITEA__openid__ENABLE_OPENID_SIGNIN=false
- GITEA__openid__ENABLE_OPENID_SIGNUP=false
networks:
- homelab_apps
- gitea_db_net
ports:
- "2222:2222"
volumes:
- gitea_data:/var/lib/gitea
- gitea_config:/etc/gitea
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
secrets:
- gitea_db_password
labels:
- traefik.enable=true
- traefik.docker.network=homelab_apps
- traefik.http.routers.gitea.rule=Host(`${GITEA_DOMAIN}`)
- traefik.http.routers.gitea.entrypoints=websecure
- traefik.http.routers.gitea.tls=true
- traefik.http.routers.gitea.tls.certresolver=le
- traefik.http.services.gitea.loadbalancer.server.port=3000
db:
image: postgres@sha256:035b9ab53cfa147d7202b61f5f7782b939ae815b7d6bc81c96b7b42ff1fca950
container_name: gitea_db
restart: unless-stopped
environment:
- POSTGRES_DB=gitea
- POSTGRES_USER=gitea
- POSTGRES_PASSWORD_FILE=/run/secrets/gitea_db_password
networks:
- gitea_db_net
volumes:
- gitea_db_data:/var/lib/postgresql
secrets:
- gitea_db_password
healthcheck:
interval: 30s
retries: 5
start_period: 20s
test:
- CMD-SHELL
- pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
timeout: 5s
volumes:
gitea_data:
driver: local
gitea_config:
driver: local
gitea_db_data:
driver: local
networks:
homelab_apps:
external: true
gitea_db_net:
internal: true
secrets:
gitea_db_password:
file: ./secrets/gitea_db_password.txt

1
stacks/homepage/.env.example Normal file
View File

@@ -0,0 +1 @@
HOMEPAGE_DOMAIN=

30
stacks/homepage/docker-compose.yaml Normal file
View File

@@ -0,0 +1,30 @@
services:
homepage:
image: ghcr.io/gethomepage/homepage:v1.10.1@sha256:4815be05c8abf3503272b7ff1ac40c5f7364602a1ed807b0fc5a4cf69df0b15b
container_name: homepage
restart: unless-stopped
env_file:
- .env
environment:
- HOMEPAGE_ALLOWED_HOSTS=${HOMEPAGE_DOMAIN}
networks:
- homelab_apps
volumes:
- ./config:/app/config
labels:
- "traefik.enable=true"
- "traefik.docker.network=homelab_apps"
- "traefik.http.routers.homepage.rule=Host(`${HOMEPAGE_DOMAIN}`)"
- "traefik.http.routers.homepage.entrypoints=websecure"
- "traefik.http.routers.homepage.tls=true"
- "traefik.http.routers.homepage.tls.certresolver=le"
- "traefik.http.services.homepage.loadbalancer.server.port=3000"
- "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-server-1:9000/outpost.goauthentik.io/auth/traefik"
- "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
- "traefik.http.routers.homepage.middlewares=authentik"
networks:
homelab_apps:
external: true

1
stacks/proxy/.env.example Normal file
View File

@@ -0,0 +1 @@
ACME_EMAIL=

53
stacks/proxy/docker-compose.yaml Normal file
View File

@@ -0,0 +1,53 @@
services:
tunnel:
image: cloudflare/cloudflared:2026.2.0@sha256:09b8ae19c02e44c075361a64094e6216421672705647b0e8d4ce8d1d8feea7ac
restart: unless-stopped
command: tunnel --no-autoupdate run
environment:
- TUNNEL_TOKEN_FILE=/run/secrets/tunnel_token
networks:
- homelab_proxy
secrets:
- tunnel_token
traefik:
image: traefik:v3.6.8@sha256:daf5df7f7b96cd34a1a499a275cb93c8dbc4ce58d49f98911e0583ba41cc4351
restart: unless-stopped
command:
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls=true
- --certificatesresolvers.le.acme.email=${ACME_EMAIL}
- --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
- --certificatesresolvers.le.acme.dnschallenge=true
- --certificatesresolvers.le.acme.dnschallenge.provider=cloudflare
env_file:
- .env
environment:
- CF_DNS_API_TOKEN_FILE=/run/secrets/cf_api_token
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- letsencrypt:/letsencrypt
networks:
- homelab_proxy
- homelab_apps
secrets:
- cf_api_token
volumes:
letsencrypt:
driver: local
networks:
homelab_proxy:
external: true
homelab_apps:
external: true
secrets:
tunnel_token:
file: ./secrets/tunnel_token.txt
cf_api_token:
file: ./secrets/cf_api_token.txt