mosskoi/MKs-Docker-Compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adding untested changes and new dockers

Browse Source
This commit is contained in:
mk
2026-03-11 22:18:38 -03:00
parent fae6ea1abe
commit 52af4904da
34 changed files with 949 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
tools/duplicati/.env.example Normal file
View File

@@ -0,0 +1,6 @@
PUID=1000
PGID=1001
TZ=America/Chicago
SETTINGS_ENCRYPTION_KEY=changeme
SOURCE_PATH=./source
BACKUP_PATH=./backup

5
tools/duplicati/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Duplicate: backups
change SETTINGS_ENCRYPTION_KEY on .env so it'll correctly encrypt everything.
Source directory is where what you want to backup is
Backup directory is where you want your backup copies to go

20
tools/duplicati/docker-compose.yml Normal file
View File

@@ -0,0 +1,20 @@
---
services:
duplicati:
image: lscr.io/linuxserver/duplicati:latest
container_name: duplicati
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- SETTINGS_ENCRYPTION_KEY=${SETTINGS_ENCRYPTION_KEY}
- CLI_ARGS= --unencrypted-database #optional
- DUPLICATI__WEBSERVICE_PASSWORD= #optional
- USAGEREPORTER_Duplicati_LEVEL=none # Completely removes all telemetry
volumes:
- ./config:/config
- ${BACKUP_PATH}:/backups
- ${SOURCE_PATH}:/source
ports:
- 8200:8200
restart: unless-stopped

3
tools/gitea/README.md Normal file
View File

@@ -0,0 +1,3 @@
# Gitea
A git server, configure app.ini completely, no need to configure anything on docker-compose

100
tools/gitea/data/gitea/conf/app.ini Normal file
View File

@@ -0,0 +1,100 @@
APP_NAME = Gitea: Git with a cup of tea
RUN_MODE = prod
RUN_USER = git
WORK_PATH = /data/gitea
[repository]
ROOT = /data/git/repositories
[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /data/gitea/uploads
[server]
APP_DATA_PATH = /data/gitea
DOMAIN = yourdomainhere # CHANGE THIS
SSH_DOMAIN = yourdomainhere # CHANGE THIS
HTTP_PORT = 3000
ROOT_URL = yourdomainhere # CHANGE THIS
DISABLE_SSH = true
SSH_PORT = 22
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
LFS_JWT_SECRET = yoursecrethere # CHANGE THIS
OFFLINE_MODE = false
HTTP_ADDR = 0.0.0.0
LANDING_PAGE=explore
[database]
PATH = /data/gitea/gitea.db
DB_TYPE = sqlite3
HOST = localhost:3306
NAME = gitea
USER = root
PASSWD =
LOG_SQL = false
SCHEMA =
SSL_MODE = disable
[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file
[picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
[attachment]
PATH = /data/gitea/attachments
[log]
MODE = console
LEVEL = info
ROOT_PATH = /data/gitea/log
[security]
INSTALL_LOCK = true
SECRET_KEY =
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
INTERNAL_TOKEN = securitytokenhere # CHANGE THIS
PASSWORD_HASH_ALGO = pbkdf2
[service]
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = false
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
DEFAULT_KEEP_EMAIL_PRIVATE = true
DEFAULT_ALLOW_CREATE_ORGANIZATION = false
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost
[lfs]
PATH = /data/git/lfs
[mailer]
ENABLED = false
[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = false
[cron.update_checker]
ENABLED = false
[repository.pull-request]
DEFAULT_MERGE_STYLE = merge
[repository.signing]
DEFAULT_TRUST_MODEL = committer
[oauth2]
JWT_SECRET = jwtsecrethere # CHANGE THIS

23
tools/gitea/docker-compose.yml Normal file
View File

@@ -0,0 +1,23 @@
version: "3"
services:
server:
image: docker.gitea.com/gitea:latest
container_name: gitea
environment:
- USER_UID=1000
- USER_GID=1000
restart: always
networks:
- gitea
volumes:
- ./data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "3000:3000"
- "222:22"
networks:
gitea:
external: false

2
tools/vaultwarden/.env.example Normal file
View File

@@ -0,0 +1,2 @@
SIGNUPS_ALLOWED=false
INVITATIONS_ALLOWED=true

5
tools/vaultwarden/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Bitwarden but vaultwarden
This is bitwarden, it's compatible with any bitwarden extension or software, it's just made in rust, generally takes less resources and doesn't scale as well, good for ~50 people(guess)
Configurations by default disable registration and enable them by invitations, change to enable to create the first one and change back to only allow by invitation

13
tools/vaultwarden/docker-compose.yml Normal file
View File

@@ -0,0 +1,13 @@
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
environment:
# DOMAIN: "https://vaultwarden.example.com" # required when using a reverse proxy; your domain; vaultwarden needs to know it's https to work properly with attachments
SIGNUPS_ALLOWED: ${SIGNUPS_ALLOWED} # Deactivate this with "false" after you have created your account so that no strangers can register
INVITATIONS_ALLOWED: ${INVITATIONS_ALLOWED}
volumes:
- ./data:/data # the path before the : can be changed
ports:
- 8081:80 # you can replace the 11001 with your preferred port

175
tools/wireguard/README.md Normal file
View File

@@ -0,0 +1,175 @@
# WireGuard VPN + Traefik Reverse Proxy Setup
## Architecture
```
Internet → VPS → WireGuard tunnel → Home Server → Traefik → Containers
```
## Files Structure
```
wireguard/
├── vps/
│ ├── wg0.conf # WireGuard config for VPS
│ ├── setup.sh # Setup script for VPS
│ └── ports.sh # Iptables update script for new ports
├── home/
│ ├── docker-compose.yml
│ ├── wireguard-config/
│ │ └── wg0.conf # WireGuard config for home
│ ├── traefik/
│ │ ├── traefik.yml # Traefik static config
│ │ └── dynamic.yml # Traefik dynamic config
└── README.md
```
---
## Step 1: Setup VPS (Debian)
1. Copy the `vps/` folder to your VPS
2. Run the setup script:
```bash
chmod +x setup.sh
sudo ./setup.sh
```
3. The script will output your VPS keys. Save them:
- **VPS Private Key** → put in `vps/wg0.conf`
- **VPS Public Key** → put in `home/wireguard-config/wg0.conf`
4. Copy the updated `wg0.conf` to `/etc/wireguard/wg0.conf`
5. Wait for Step 2 to get the home public key before starting WireGuard
---
## Step 2: Setup Home Server (Arch)
1. Copy the `home/` folder to your home server
2. Generate WireGuard keys:
```bash
wg genkey | tee privatekey | wg pubkey > publickey
cat privatekey # → put in home/wireguard-config/wg0.conf
cat publickey # → put in vps/wg0.conf on VPS
```
3. Edit `home/wireguard-config/wg0.conf`:
- Replace `HOME_PRIVATE_KEY` with your private key
- Replace `VPS_PUBLIC_KEY` with the VPS public key from Step 1
4. Start the containers:
```bash
docker compose up -d
```
---
## Step 3: Finish VPS Setup
1. On VPS, edit `/etc/wireguard/wg0.conf`:
- Replace `HOME_PUBLIC_KEY` with your home server's public key
2. Start WireGuard:
```bash
sudo systemctl start wg-quick@wg0
```
3. Test the tunnel:
```bash
ping 10.0.0.2
```
---
## Step 4: Point Your Domain to VPS
Create DNS A records pointing to your VPS IP:
```
exampledomain.com → VPS_IP
*.exampledomain.com → VPS_IP (wildcard for subdomains)
```
---
## Step 5: Configure connections to your Containers
Add Traefik configurations to dynamic.yml, the file comes with a simple example:
```yaml
routers:
example-app: #Define service name
# Rules define the domain and/or subdomain you want to use
rule: "Host(`exampledomain.com`) || Host(`subdomain.exampledomain.com`)"
entryPoints:
- web # use HTTP
- websecure # use HTTPS
example-app: blog
services:
example-app: #Service name
loadBalancer:
servers:
- url: "http://example-docker:80" #Docker IP/name and port to have DNS redirect to
```
See `dynamic.yml` for a complete example and use it for configuration.
---
## Useful Commands
### VPS
```bash
# Check WireGuard status
sudo wg show
# View iptables rules
sudo iptables -t nat -L -n -v
# Restart WireGuard
sudo systemctl restart wg-quick@wg0
```
### Home Server
```bash
# View logs
docker compose logs -f
# Restart services
docker compose restart
# Check WireGuard status inside container
docker exec wireguard wg show
```
---
## Troubleshooting
### Tunnel not connecting
- Check both public keys are correct
- Ensure VPS firewall allows UDP 51820
- Check `PersistentKeepalive` is set (for NAT traversal)
### Traefik not getting certificates
- Ensure port 80 is forwarded through VPS
- Check DNS is pointing to VPS IP
- View Traefik logs: `docker compose logs traefik`
### Traffic not reaching home server
- Test tunnel: `ping 10.0.0.2` from VPS
- Check iptables: `sudo iptables -t nat -L PREROUTING -n -v`
- Ensure ip_forward is enabled: `cat /proc/sys/net/ipv4/ip_forward`

46
tools/wireguard/docker-compose.yml Normal file
View File

@@ -0,0 +1,46 @@
services:
wireguard:
image: lscr.io/linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=UTC
volumes:
- ./wireguard-config:/config
- /lib/modules:/lib/modules:ro
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
healthcheck:
test: ["CMD", "ping", "-c", "1", "10.0.0.1"]
interval: 10s
timeout: 5s
retries: 5
start_period: 30s
networks:
vpn_net:
ipv4_address: 172.32.0.2
traefik:
image: traefik:v3.0
container_name: traefik
restart: unless-stopped
depends_on:
wireguard:
condition: service_healthy
network_mode: service:wireguard
volumes:
- ./traefik:/etc/traefik
- ./letsencrypt:/letsencrypt
networks:
vpn_net:
driver: bridge
ipam:
config:
- subnet: 172.32.0.0/24

97
tools/wireguard/traefik/dynamic.yml Normal file
View File

@@ -0,0 +1,97 @@
# =============================================================================
# Traefik Dynamic Configuration
# This file defines your routers, services, and middlewares.
#
# HTTP → HTTPS redirection is handled globally in traefik.yml, so each service
# only needs a single router for HTTPS.
#
# Sections marked "No changes needed" are reusable building blocks.
# Sections marked "CONFIGURE" are where you add your own services.
# =============================================================================
http:
# --- No changes needed ---------------------------------------------------
middlewares:
https-headers:
# Required for services that need to know the original protocol
# (e.g. Mastodon, Matrix/Synapse)
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
serversTransports:
# Use this for backend containers that use self-signed TLS certs
# (e.g. Nextcloud). Reference it in a service with:
# serversTransport: insecure-transport
insecure-transport:
insecureSkipVerify: true
# -------------------------------------------------------------------------
# --- CONFIGURE -----------------------------------------------------------
routers:
# Basic service
my-service:
rule: "Host(`service.example.com`)" # <-- change domain
entryPoints:
- websecure
service: my-service
tls:
certResolver: letsencrypt
# Service that needs X-Forwarded-Proto (e.g. Mastodon, Synapse)
my-service-with-headers:
rule: "Host(`other.example.com`)" # <-- change domain
entryPoints:
- websecure
service: my-service-with-headers
middlewares:
- https-headers
tls:
certResolver: letsencrypt
# Service with a self-signed cert on the backend (e.g. Nextcloud)
my-https-backend:
rule: "Host(`secure.example.com`)" # <-- change domain
entryPoints:
- websecure
service: my-https-backend
tls:
certResolver: letsencrypt
services:
my-service:
loadBalancer:
servers:
- url: "http://container-name:PORT" # <-- change container name and port
my-service-with-headers:
loadBalancer:
servers:
- url: "http://container-name:PORT" # <-- change container name and port
my-https-backend:
loadBalancer:
servers:
- url: "https://container-name:PORT" # <-- change container name and port
serversTransport: insecure-transport
# -------------------------------------------------------------------------
# =============================================================================
# TCP — only needed for raw TCP services (game servers, etc.)
# Remove this section entirely if you don't need it.
# =============================================================================
tcp:
# --- CONFIGURE -----------------------------------------------------------
routers:
my-tcp-service:
rule: "HostSNI(`*`)"
entryPoints:
- my-tcp-entrypoint # <-- must match an entrypoint defined in traefik.yml
service: my-tcp-service
services:
my-tcp-service:
loadBalancer:
servers:
- address: "container-name:PORT" # <-- change container name and port
# -------------------------------------------------------------------------

45
tools/wireguard/traefik/traefik.yml Normal file
View File

@@ -0,0 +1,45 @@
# =============================================================================
# Traefik Static Configuration
# You generally do not need to change anything in this file except the section
# marked with "CONFIGURE" below.
# =============================================================================
# --- No changes needed -------------------------------------------------------
api:
dashboard: true
insecure: true # Dashboard on port 8080 - only accessible via WireGuard
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
# Add extra TCP/UDP entrypoints here if you need to expose non-HTTP services
# my-tcp:
# address: ":PORT"
providers:
file:
filename: /etc/traefik/dynamic.yml
watch: true
tls:
options:
default:
sniStrict: true # Rejects TLS connections for unknown hostnames
# -----------------------------------------------------------------------------
# --- CONFIGURE ---------------------------------------------------------------
certificatesResolvers:
letsencrypt:
acme:
email: YOUR_EMAIL_HERE@EMAIL.COM # <-- change this
storage: /letsencrypt/acme.json
httpChallenge:
entryPoint: web
# -----------------------------------------------------------------------------

208
tools/wireguard/vps/ports.sh Normal file
View File

@@ -0,0 +1,208 @@
#!/bin/bash
# Manage port forwarding from VPS to home server via WireGuard
set -e
INTERFACE=$(ip route | grep default | awk '{print $5}' | head -n1)
HOME_SERVER="10.0.0.2"
show_help() {
echo "Port Forwarding Manager"
echo "========================"
echo "Forward ports from VPS to home server via WireGuard tunnel."
echo ""
echo "Usage: $0 <command> [options]"
echo ""
echo "Commands:"
echo " list Show all currently forwarded ports"
echo " add <port> [protocol] Forward a port to home server"
echo " remove <port> [protocol] Stop forwarding a port"
echo " help Show this help message"
echo ""
echo "Protocol options:"
echo " tcp - TCP only (default)"
echo " udp - UDP only"
echo " both - TCP and UDP"
echo ""
echo "Examples:"
echo " $0 list # Show all forwarded ports"
echo " $0 add 25565 # Forward Minecraft server (TCP)"
echo " $0 add 7777 udp # Forward UDP port 7777"
echo " $0 add 27015 both # Forward game server (TCP+UDP)"
echo " $0 remove 25565 # Stop forwarding port 25565"
echo " $0 remove 7777 udp # Stop forwarding UDP port 7777"
echo ""
echo "Notes:"
echo " - Ports 80 and 443 are reserved for Traefik (HTTP/HTTPS)"
echo " - Changes are saved automatically and persist after reboot"
echo " - Run as root (sudo)"
}
show_add_usage() {
echo "Error: Missing port number"
echo ""
echo "Usage: $0 add <port> [protocol]"
echo ""
echo "Arguments:"
echo " port Port number to forward (required)"
echo " protocol tcp (default), udp, or both"
echo ""
echo "Examples:"
echo " $0 add 25565 # Forward TCP port 25565"
echo " $0 add 7777 udp # Forward UDP port 7777"
echo " $0 add 27015 both # Forward both TCP and UDP"
}
show_remove_usage() {
echo "Error: Missing port number"
echo ""
echo "Usage: $0 remove <port> [protocol]"
echo ""
echo "Arguments:"
echo " port Port number to stop forwarding (required)"
echo " protocol tcp (default), udp, or both"
echo ""
echo "Examples:"
echo " $0 remove 25565 # Stop forwarding TCP port 25565"
echo " $0 remove 7777 udp # Stop forwarding UDP port 7777"
echo " $0 remove 27015 both # Stop forwarding both TCP and UDP"
}
show_invalid_protocol() {
echo "Error: Invalid protocol '$1'"
echo ""
echo "Valid protocols:"
echo " tcp - TCP only (default)"
echo " udp - UDP only"
echo " both - TCP and UDP"
}
list_ports() {
echo "=== Forwarded Ports ==="
echo ""
local found=0
iptables -t nat -L PREROUTING -n 2>/dev/null | grep -E "dpt:" | grep "10.0.0.2" | \
awk '{for(i=1;i<=NF;i++) if($i ~ /dpt:/) print $2, $i}' | \
sed 's/dpt://' | \
while read proto port; do
echo " $port ($proto)"
found=1
done
if [ $found -eq 0 ]; then
# Check again since subshell doesn't preserve variable
if ! iptables -t nat -L PREROUTING -n 2>/dev/null | grep -q "10.0.0.2.*dpt:"; then
echo " No ports currently forwarded (besides 80/443 for Traefik)"
fi
fi
echo ""
}
add_port() {
local port=$1
local proto=$2
echo "Adding $proto port $port -> $HOME_SERVER:$port"
iptables -t nat -A PREROUTING -i $INTERFACE -p $proto --dport $port -j DNAT --to-destination $HOME_SERVER:$port
iptables -A FORWARD -i $INTERFACE -o wg0 -p $proto --dport $port -j ACCEPT
}
remove_port() {
local port=$1
local proto=$2
echo "Removing $proto port $port"
iptables -t nat -D PREROUTING -i $INTERFACE -p $proto --dport $port -j DNAT --to-destination $HOME_SERVER:$port 2>/dev/null || echo " NAT rule not found"
iptables -D FORWARD -i $INTERFACE -o wg0 -p $proto --dport $port -j ACCEPT 2>/dev/null || echo " FORWARD rule not found"
}
save_rules() {
echo ""
echo "Saving iptables rules..."
netfilter-persistent save >/dev/null 2>&1
echo "Done! Changes will persist after reboot."
}
# Main
case ${1:-} in
help|--help|-h)
show_help
;;
list)
list_ports
;;
add)
if [ -z "${2:-}" ]; then
show_add_usage
exit 1
fi
PORT=$2
PROTOCOL=${3:-tcp}
case $PROTOCOL in
tcp)
add_port $PORT tcp
;;
udp)
add_port $PORT udp
;;
both)
add_port $PORT tcp
add_port $PORT udp
;;
*)
show_invalid_protocol $PROTOCOL
exit 1
;;
esac
save_rules
;;
remove)
if [ -z "${2:-}" ]; then
show_remove_usage
exit 1
fi
PORT=$2
PROTOCOL=${3:-tcp}
case $PROTOCOL in
tcp)
remove_port $PORT tcp
;;
udp)
remove_port $PORT udp
;;
both)
remove_port $PORT tcp
remove_port $PORT udp
;;
*)
show_invalid_protocol $PROTOCOL
exit 1
;;
esac
save_rules
;;
"")
echo "Error: No command specified"
echo ""
echo "Usage: $0 <command> [options]"
echo ""
echo "Commands:"
echo " list Show all forwarded ports"
echo " add <port> [protocol] Forward a port"
echo " remove <port> [protocol] Stop forwarding a port"
echo " help Show detailed help"
echo ""
echo "Run '$0 help' for more information."
exit 1
;;
*)
echo "Error: Unknown command '$1'"
echo ""
echo "Valid commands: list, add, remove, help"
echo ""
echo "Run '$0 help' for more information."
exit 1
;;
esac

57
tools/wireguard/vps/setup.sh Normal file
View File

@@ -0,0 +1,57 @@
#!/bin/bash
# VPS Setup Script - Run on your Debian VPS as root
set -e
echo "=== Installing WireGuard ==="
apt update
apt install -y wireguard
echo "=== Generating Keys ==="
cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
echo ""
echo "========================================"
echo "VPS Private Key (put in wg0.conf):"
cat privatekey
echo ""
echo "VPS Public Key (put in home server config):"
cat publickey
echo "========================================"
echo ""
echo "=== Copy your wg0.conf to /etc/wireguard/wg0.conf ==="
echo "=== Then replace VPS_PRIVATE_KEY with the private key above ==="
echo "=== And replace HOME_PUBLIC_KEY with your home server's public key ==="
echo ""
echo "=== Enabling IP Forwarding ==="
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/99-wireguard.conf
sysctl -p /etc/sysctl.d/99-wireguard.conf
echo "=== Setting up iptables rules ==="
# Get the main network interface (usually eth0 or ens3)
INTERFACE=$(ip route | grep default | awk '{print $5}' | head -n1)
echo "Detected interface: $INTERFACE"
# Forward ports 80 and 443 to home server via WireGuard
iptables -t nat -A PREROUTING -i $INTERFACE -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
iptables -t nat -A PREROUTING -i $INTERFACE -p tcp --dport 443 -j DNAT --to-destination 10.0.0.2:443
iptables -A FORWARD -i $INTERFACE -o wg0 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $INTERFACE -o wg0 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i wg0 -o $INTERFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
echo "=== Making iptables persistent ==="
apt install -y iptables-persistent
netfilter-persistent save
echo "=== Enabling WireGuard service ==="
systemctl enable wg-quick@wg0
echo ""
echo "=== After you update wg0.conf with keys, run: ==="
echo "systemctl start wg-quick@wg0"
echo ""
echo "=== Done! ==="

8
tools/wireguard/vps/wg0.conf Normal file
View File

@@ -0,0 +1,8 @@
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = VPS_PRIVATE_KEY
[Peer]
PublicKey = HOMELAB_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

10
tools/wireguard/wireguard-config/wg0.conf Normal file
View File

@@ -0,0 +1,10 @@
[Interface]
Address = 10.0.0.2/24
PrivateKey = HOMELAB_PRIVATE_KEY
[Peer]
# VPS public key (from VPS's wg genkey | wg pubkey)
PublicKey = VPS_PUBLIC_KEY
Endpoint = VPS_IP:51820
AllowedIPs = 10.0.0.1/32
PersistentKeepalive = 25