luco
/
gitops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added SSO, Migration to Cloudflare Domain
Production GitOps Engine / execute-ansible (push) Failing after 1m33s Details

This commit is contained in:
Lucas Conrad 2026-06-21 18:16:13 +02:00
parent ca2c1767a8
commit 5a95a831bf
12 changed files with 119 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docker/data/homepage/services.yaml
View File

@ -107,7 +107,7 @@
- Gitea:
icon: gitea.png
href: http://git.kotori-waifu
href: https://git.kotori-waifu
description: Git Version Control
- Vaultwarden:

44
docker/stacks/00-core/authelia/configuration.yml Normal file
View File

@ -0,0 +1,44 @@
server:
host: 0.0.0.0
port: 9091
log:
level: debug
theme: dark
totp:
issuer: authelia.com
authentication_backend:
file:
path: /config/users.yml
access_control:
default_policy: deny
rules:
# Bypass authentication for local LAN requests
- domain: "*.kotori-waifu.cc"
networks:
- 192.168.0.0/16
- 10.0.0.0/8
- 172.16.0.0/12
policy: bypass
# Require 2FA for external requests
- domain: "*.kotori-waifu.cc"
policy: two_factor
session:
name: authelia_session
domain: kotori-waifu.cc
secret: '${SESSION_SECRET}'
expiration: 3600
inactivity: 1000
storage:
local:
path: /config/db.sqlite3
notifier:
filesystem:
filename: /config/notification.txt

25
docker/stacks/00-core/authelia/docker-compose.yml Normal file
View File

@ -0,0 +1,25 @@
services:
authelia:
image: authelia/authelia:latest
container_name: authelia
volumes:
- /opt/homelab/data/authelia:/config
- ./configuration.yml:/config/configuration.yml:ro
- ./users.yml:/config/users.yml:ro
networks:
- proxy_net
labels:
- "traefik.enable=true"
- "traefik.http.routers.authelia.rule=Host(`auth.kotori-waifu.cc`)"
- "traefik.http.routers.authelia.tls.certresolver=cloudflare"
- "traefik.http.services.authelia.loadbalancer.server.port=9091"
- "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth"
- "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
restart: unless-stopped
env_file:
- .env
networks:
proxy_net:
external: true

10
docker/stacks/00-core/authelia/users.yml Normal file
View File

@ -0,0 +1,10 @@
users:
kotori:
displayname: "Kotori"
# To generate a password hash, use docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'yourpassword'
# Default is 'kotori'
password: "$argon2id$v=19$m=65536,t=3,p=4$R9730030W0Nud7Xq+8qBsg$eP9t0+3/n/S2nUq9YfB6i7x9n/8k8hH1G/1Y5Zt/u+Y"
email: admin@kotori-waifu.cc
groups:
- admins
- dev

5
docker/stacks/00-core/gitea/docker-compose.yml
View File

@ -8,7 +8,7 @@ services:
- GITEA__database__NAME=gitea
- GITEA__database__USER=gitea
- GITEA__database__PASSWD=${DB_PASS}
- GITEA__server__ROOT_URL=https://git.kotori-waifu
- GITEA__server__ROOT_URL=https://git.kotori-waifu.cc
- GITEA__server__SSH_PORT=2222
- GITEA__server__LFS_START_SERVER=true
- GITEA__actions__ENABLED=true
@ -23,9 +23,10 @@ services:
- "2222:2222"
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea.rule=Host(`git.kotori-waifu`)"
- "traefik.http.routers.gitea.rule=Host(`git.kotori-waifu.cc`)"
- "traefik.http.routers.gitea.entrypoints=websecure"
- "traefik.http.routers.gitea.tls=true"
- "traefik.http.routers.gitea.tls.certresolver=cloudflare"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
- "traefik.docker.network=proxy_net"
restart: unless-stopped

2
docker/stacks/00-core/traefik/.env Normal file
View File

@ -0,0 +1,2 @@
CF_DNS_API_TOKEN=cfut_7dfJCWj0xn9wlEsnQxEAsPWQZdzGv7GFGrbaWVgI716ae0bb
ACME_EMAIL=lucas-conrad67@gmx.net

9
docker/stacks/00-core/traefik/docker-compose.yml
View File

@ -2,6 +2,8 @@ services:
traefik:
image: traefik:latest
container_name: traefik
env_file:
- .env
user: root # Ensure access to docker.sock
command:
- "--api.insecure=true"
@ -11,14 +13,21 @@ services:
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--log.level=DEBUG"
- "--certificatesresolvers.cloudflare.acme.dnschallenge=true"
- "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
# - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.cloudflare.acme.email=${ACME_EMAIL:-admin@kotori-waifu.cc}"
- "--certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json"
environment:
- DOCKER_API_VERSION=1.44
- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
ports:
- "80:80"
- "443:443"
- "8085:8080" # Traefik dashboard (moved from 8080)
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
networks:
- proxy_net
restart: unless-stopped

4
docker/stacks/01-apps/bookstack/docker-compose.yml
View File

@ -24,7 +24,9 @@ services:
- proxy_net
labels:
- "traefik.enable=true"
- "traefik.http.routers.bookstack.rule=Host(`bookstack.kotori-waifu`) || Host(`kotoribs.kotori-waifu`) || Host(`bs.kotori-waifu.cc`)"
- "traefik.http.routers.bookstack.rule=Host(`bookstack.kotori-waifu.cc`) || Host(`bs.kotori-waifu.cc`)"
- "traefik.http.routers.bookstack.tls.certresolver=cloudflare"
- "traefik.http.routers.bookstack.middlewares=authelia@docker"
- "traefik.http.services.bookstack.loadbalancer.server.port=80"
- "traefik.docker.network=proxy_net"
restart: unless-stopped

3
docker/stacks/01-apps/mealie/docker-compose.yml
View File

@ -19,7 +19,8 @@ services:
- proxy_net
labels:
- "traefik.enable=true"
- "traefik.http.routers.mealie.rule=Host(`mealie.kotori-waifu`) || Host(`mealie.kotori-waifu.cc`)"
- "traefik.http.routers.mealie.rule=Host(`mealie.kotori-waifu.cc`)"
- "traefik.http.routers.mealie.tls.certresolver=cloudflare"
- "traefik.http.services.mealie.loadbalancer.server.port=9000"
restart: unless-stopped

3
docker/stacks/01-apps/vaultwarden/docker-compose.yml
View File

@ -14,9 +14,10 @@ services:
- proxy_net
labels:
- "traefik.enable=true"
- "traefik.http.routers.vaultwarden.rule=Host(`vault.kotori-waifu`)"
- "traefik.http.routers.vaultwarden.rule=Host(`vault.kotori-waifu.cc`)"
- "traefik.http.routers.vaultwarden.entrypoints=websecure"
- "traefik.http.routers.vaultwarden.tls=true"
- "traefik.http.routers.vaultwarden.tls.certresolver=cloudflare"
- "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
networks:

4
docker/stacks/02-media/immich-app/docker-compose.yml
View File

@ -32,7 +32,9 @@ services:
- proxy_net
labels:
- "traefik.enable=true"
- "traefik.http.routers.immich.rule=Host(`immich.kotori-waifu`) || Host(`immich.kotori-waifu.cc`)"
- "traefik.http.routers.immich.rule=Host(`immich.kotori-waifu.cc`)"
- "traefik.http.routers.immich.tls.certresolver=cloudflare"
- "traefik.http.routers.immich.middlewares=authelia@docker"
- "traefik.http.services.immich.loadbalancer.server.port=2283"
- "traefik.docker.network=proxy_net"
restart: unless-stopped

22
docker/stacks/02-media/media-stack/docker-compose.yml
View File

@ -25,10 +25,12 @@ services:
- proxy_net
labels:
- "traefik.enable=true"
- "traefik.http.routers.torrent.rule=Host(`torrent.kotori-waifu`)"
- "traefik.http.routers.torrent.rule=Host(`torrent.kotori-waifu.cc`)"
- "traefik.http.routers.torrent.tls.certresolver=cloudflare"
- "traefik.http.routers.torrent.service=torrent"
- "traefik.http.services.torrent.loadbalancer.server.port=8080"
- "traefik.http.routers.prowlarr.rule=Host(`prowlarr.kotori-waifu`)"
- "traefik.http.routers.prowlarr.rule=Host(`prowlarr.kotori-waifu.cc`)"
- "traefik.http.routers.prowlarr.tls.certresolver=cloudflare"
- "traefik.http.routers.prowlarr.service=prowlarr"
- "traefik.http.services.prowlarr.loadbalancer.server.port=9696"
restart: unless-stopped
@ -77,7 +79,8 @@ services:
- proxy_net
labels:
- "traefik.enable=true"
- "traefik.http.routers.radarr.rule=Host(`radarr.kotori-waifu`)"
- "traefik.http.routers.radarr.rule=Host(`radarr.kotori-waifu.cc`)"
- "traefik.http.routers.radarr.tls.certresolver=cloudflare"
- "traefik.http.services.radarr.loadbalancer.server.port=7878"
restart: unless-stopped
@ -97,7 +100,8 @@ services:
- proxy_net
labels:
- "traefik.enable=true"
- "traefik.http.routers.sonarr.rule=Host(`sonarr.kotori-waifu`)"
- "traefik.http.routers.sonarr.rule=Host(`sonarr.kotori-waifu.cc`)"
- "traefik.http.routers.sonarr.tls.certresolver=cloudflare"
- "traefik.http.services.sonarr.loadbalancer.server.port=8989"
restart: unless-stopped
@ -119,7 +123,8 @@ services:
- proxy_net
labels:
- "traefik.enable=true"
- "traefik.http.routers.jellyfin.rule=Host(`jellyfin.kotori-waifu`) || Host(`jellyfin.kotori-waifu.cc`)"
- "traefik.http.routers.jellyfin.rule=Host(`jellyfin.kotori-waifu.cc`)"
- "traefik.http.routers.jellyfin.tls.certresolver=cloudflare"
- "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
restart: unless-stopped
@ -140,7 +145,9 @@ services:
- proxy_net
labels:
- "traefik.enable=true"
- "traefik.http.routers.seerr.rule=Host(`jellyseer.kotori-waifu`) || Host(`seer.kotori-waifu.cc`)"
- "traefik.http.routers.seerr.rule=Host(`jellyseer.kotori-waifu.cc`) || Host(`seer.kotori-waifu.cc`)"
- "traefik.http.routers.seerr.tls.certresolver=cloudflare"
- "traefik.http.routers.seerr.middlewares=authelia@docker"
- "traefik.http.services.seerr.loadbalancer.server.port=5055"
restart: unless-stopped
@ -210,7 +217,8 @@ services:
- proxy_net
labels:
- "traefik.enable=true"
- "traefik.http.routers.komga.rule=Host(`goon.kotori-waifu`)"
- "traefik.http.routers.komga.rule=Host(`goon.kotori-waifu.cc`)"
- "traefik.http.routers.komga.tls.certresolver=cloudflare"
- "traefik.http.services.komga.loadbalancer.server.port=25600"
restart: unless-stopped