Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sanitized mirror from private repository - 2026-03-07 09:20:44 UTC
Some checks failed
Documentation / Build Docusaurus (push) Failing after 8s
Details
Documentation / Deploy to GitHub Pages (push) Has been skipped
Details

Browse Source
This commit is contained in:
Gitea Mirror Bot
2026-03-07 09:20:44 +00:00
commit 17c65dcd3c
1160 changed files with 297105 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
hosts/vms/homelab-vm/.gitkeep Normal file
View File

284
hosts/vms/homelab-vm/alerting.yaml Normal file
View File

@@ -0,0 +1,284 @@
# Alerting Stack - Alertmanager + Notification Bridges
# =============================================================================
# Dual-channel alerting: ntfy (mobile push) + Signal (encrypted messaging)
# =============================================================================
# Deployed via: Portainer GitOps
# Ports: 9093 (Alertmanager), 5000 (signal-bridge), 5001 (ntfy-bridge)
#
# Alert Routing:
# - Warning alerts → ntfy only
# - Critical alerts → ntfy + Signal
# - Resolved alerts → Both channels (for critical)
#
# Uses docker configs to embed Python bridge apps since Portainer GitOps
# doesn't support docker build
configs:
# Alertmanager Configuration
alertmanager_config:
content: |
global:
resolve_timeout: 5m
route:
group_by: ['alertname', 'severity', 'instance']
group_wait: 30s
group_interval: 5m
repeat_interval: 4h
receiver: 'ntfy-all'
routes:
- match:
severity: critical
receiver: 'critical-alerts'
continue: false
- match:
severity: warning
receiver: 'ntfy-all'
receivers:
- name: 'ntfy-all'
webhook_configs:
- url: 'http://ntfy-bridge:5001/alert'
send_resolved: true
- name: 'critical-alerts'
webhook_configs:
- url: 'http://ntfy-bridge:5001/alert'
send_resolved: true
- url: 'http://signal-bridge:5000/alert'
send_resolved: true
inhibit_rules:
- source_match:
severity: 'critical'
target_match:
severity: 'warning'
equal: ['alertname', 'instance']
# ntfy-bridge Python App
ntfy_bridge_app:
content: |
from flask import Flask, request, jsonify
import requests
import os
app = Flask(__name__)
NTFY_URL = os.environ.get('NTFY_URL', 'http://NTFY:80')
NTFY_TOPIC = os.environ.get('NTFY_TOPIC', 'homelab-alerts')
def get_priority(severity, status):
if status == 'resolved':
return '3'
if severity == 'critical':
return '5'
return '4'
def get_tag(severity, status):
if status == 'resolved':
return 'white_check_mark'
if severity == 'critical':
return 'rotating_light'
return 'warning'
def format_alert(alert):
status = alert.get('status', 'firing')
labels = alert.get('labels', {})
annotations = alert.get('annotations', {})
alertname = labels.get('alertname', 'Unknown')
severity = labels.get('severity', 'warning')
instance = labels.get('instance', 'unknown')
status_text = 'RESOLVED' if status == 'resolved' else 'FIRING'
title = f"{alertname} [{status_text}]"
summary = annotations.get('summary', '')
description = annotations.get('description', '')
body_parts = []
if summary:
body_parts.append(summary)
if description and description != summary:
body_parts.append(description)
if instance != 'unknown':
body_parts.append(f"Host: {instance}")
body = '\n'.join(body_parts) if body_parts else f"Alert {status_text.lower()}"
return title, body, severity, status
@app.route('/alert', methods=['POST'])
def handle_alert():
try:
data = request.json
for alert in data.get('alerts', []):
title, body, severity, status = format_alert(alert)
requests.post(f"{NTFY_URL}/{NTFY_TOPIC}", data=body,
headers={'Title': title, 'Priority': get_priority(severity, status), 'Tags': get_tag(severity, status)})
return jsonify({'status': 'sent', 'count': len(data.get('alerts', []))})
except Exception as e:
return jsonify({'status': 'error', 'message': str(e)}), 500
@app.route('/health', methods=['GET'])
def health():
return jsonify({'status': 'healthy'})
if __name__ == '__main__':
app.run(host='0.0.0.0', port=5001)
# signal-bridge Python App
signal_bridge_app:
content: |
import os
import requests
from flask import Flask, request, jsonify
app = Flask(__name__)
SIGNAL_API_URL = os.environ.get('SIGNAL_API_URL', 'http://signal-api:8080')
SIGNAL_SENDER = os.environ.get('SIGNAL_SENDER', '')
SIGNAL_RECIPIENTS = os.environ.get('SIGNAL_RECIPIENTS', '').split(',')
def format_alert_message(alert_data):
messages = []
for alert in alert_data.get('alerts', []):
status = alert.get('status', 'firing')
labels = alert.get('labels', {})
annotations = alert.get('annotations', {})
severity = labels.get('severity', 'warning')
summary = annotations.get('summary', labels.get('alertname', 'Alert'))
description = annotations.get('description', '')
if status == 'resolved':
emoji, text = '✅', 'RESOLVED'
elif severity == 'critical':
emoji, text = '🚨', 'CRITICAL'
else:
emoji, text = '⚠️', 'WARNING'
msg = f"{emoji} [{text}] {summary}"
if description:
msg += f"\n{description}"
messages.append(msg)
return "\n\n".join(messages)
def send_signal_message(message):
if not SIGNAL_SENDER or not SIGNAL_RECIPIENTS:
return False
success = True
for recipient in SIGNAL_RECIPIENTS:
recipient = recipient.strip()
if not recipient:
continue
try:
response = requests.post(f"{SIGNAL_API_URL}/v2/send", json={
"message": message, "number": SIGNAL_SENDER, "recipients": [recipient]
}, timeout=30)
if response.status_code not in [200, 201]:
success = False
except Exception:
success = False
return success
@app.route('/health', methods=['GET'])
def health():
return jsonify({"status": "healthy"})
@app.route('/alert', methods=['POST'])
def receive_alert():
try:
alert_data = request.get_json()
if not alert_data:
return jsonify({"error": "No data"}), 400
message = format_alert_message(alert_data)
if send_signal_message(message):
return jsonify({"status": "sent"})
return jsonify({"status": "partial_failure"}), 207
except Exception as e:
return jsonify({"error": str(e)}), 500
if __name__ == '__main__':
app.run(host='0.0.0.0', port=5000)
services:
alertmanager:
image: prom/alertmanager:latest
container_name: alertmanager
restart: unless-stopped
ports:
- "9093:9093"
configs:
- source: alertmanager_config
target: /etc/alertmanager/alertmanager.yml
volumes:
- alertmanager-data:/alertmanager
command:
- '--config.file=/etc/alertmanager/alertmanager.yml'
- '--storage.path=/alertmanager'
- '--web.external-url=http://localhost:9093'
networks:
- alerting
- monitoring-stack_monitoring
ntfy-bridge:
image: python:3.11-slim
container_name: ntfy-bridge
restart: unless-stopped
ports:
- "5001:5001"
environment:
- NTFY_URL=http://NTFY:80
- NTFY_TOPIC="REDACTED_NTFY_TOPIC"
configs:
- source: ntfy_bridge_app
target: /app/app.py
command: >
sh -c "pip install --quiet flask requests gunicorn &&
cd /app && gunicorn --bind 0.0.0.0:5001 --workers 2 app:app"
networks:
- alerting
- ntfy-stack_default
healthcheck:
test: ["CMD", "python3", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:5001/health')"]
interval: 30s
timeout: 10s
retries: 3
signal-bridge:
image: python:3.11-slim
container_name: signal-bridge
restart: unless-stopped
ports:
- "5000:5000"
environment:
- SIGNAL_API_URL=http://signal-api:8080
- SIGNAL_SENDER=REDACTED_PHONE_NUMBER
- SIGNAL_RECIPIENTS=REDACTED_PHONE_NUMBER
configs:
- source: signal_bridge_app
target: /app/app.py
command: >
sh -c "pip install --quiet flask requests gunicorn &&
cd /app && gunicorn --bind 0.0.0.0:5000 --workers 2 app:app"
networks:
- alerting
- signal-api-stack_default
healthcheck:
test: ["CMD", "python3", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:5000/health')"]
interval: 30s
timeout: 10s
retries: 3
volumes:
alertmanager-data:
networks:
alerting:
driver: bridge
monitoring-stack_monitoring:
external: true
ntfy-stack_default:
external: true
signal-api-stack_default:
external: true

57
hosts/vms/homelab-vm/archivebox.yaml Normal file
View File

@@ -0,0 +1,57 @@
# ArchiveBox - Web archiving
# Port: 8000
# Self-hosted internet archiving solution
version: '3.8'
services:
archivebox:
image: archivebox/archivebox:latest
container_name: archivebox
ports:
- "7254:8000"
volumes:
- ./data:/data
environment:
- PUID=1000
- PGID=1000
- ADMIN_USERNAME=vish
- ADMIN_PASSWORD="REDACTED_PASSWORD"
- ALLOWED_HOSTS=*
- CSRF_TRUSTED_ORIGINS=http://localhost:7254
- PUBLIC_INDEX=True
- PUBLIC_SNAPSHOTS=True
- PUBLIC_ADD_VIEW=False
- SEARCH_BACKEND_ENGINE=sonic
- SEARCH_BACKEND_HOST_NAME=sonic
- SEARCH_BACKEND_PASSWORD="REDACTED_PASSWORD"
restart: unless-stopped
archivebox_scheduler:
image: archivebox/archivebox:latest
container_name: archivebox_scheduler
command: schedule --foreground --update --every=day
volumes:
- ./data:/data
environment:
- PUID=1000
- PGID=1000
- TIMEOUT=120
- SEARCH_BACKEND_ENGINE=sonic
- SEARCH_BACKEND_HOST_NAME=sonic
- SEARCH_BACKEND_PASSWORD="REDACTED_PASSWORD"
restart: unless-stopped
sonic:
image: archivebox/sonic:latest
container_name: archivebox_sonic
expose:
- "1491"
environment:
- SEARCH_BACKEND_PASSWORD="REDACTED_PASSWORD"
volumes:
- ./data/sonic:/var/lib/sonic/store
restart: unless-stopped
networks:
default:
name: archivebox_net

23
hosts/vms/homelab-vm/beeper.yaml Normal file
View File

@@ -0,0 +1,23 @@
services:
beeper:
image: ghcr.io/zachatrocity/docker-beeper:latest
container_name: Beeper
healthcheck:
test: ["CMD-SHELL", "nc -z 127.0.0.1 3000 || exit 1"]
interval: 10s
timeout: 5s
retries: 3
start_period: 90s
security_opt:
- seccomp:unconfined
environment:
PUID: 1029
PGID: 100
TZ: America/Los_Angeles
volumes:
- /home/homelab/docker/beeper:/config:rw
ports:
- 3655:3000 # HTTP (redirects to HTTPS — use port 3656)
- 3656:3001 # HTTPS (use this — accept self-signed cert in browser)
shm_size: "2gb"
restart: on-failure:5

14
hosts/vms/homelab-vm/binternet.yaml Normal file
View File

@@ -0,0 +1,14 @@
# Binternet - Pinterest frontend
# Port: 8080
# Privacy-respecting Pinterest frontend
services:
binternet:
container_name: binternet
image: ghcr.io/ahwxorg/binternet:latest
cap_drop:
- ALL
security_opt:
- no-new-privileges:true
ports:
- '21544:8080'
restart: unless-stopped

30
hosts/vms/homelab-vm/cloudflare-tunnel.yaml Normal file
View File

@@ -0,0 +1,30 @@
# Cloudflare Tunnel for Homelab-VM
# Provides secure external access without port forwarding
#
# SETUP INSTRUCTIONS:
# 1. Go to https://one.dash.cloudflare.com/ → Zero Trust → Networks → Tunnels
# 2. Create a new tunnel named "homelab-vm-tunnel"
# 3. Copy the tunnel token (starts with eyJ...)
# 4. Replace TUNNEL_TOKEN_HERE below with your token
# 5. In the tunnel dashboard, add these public hostnames:
#
# | Public Hostname | Service |
# |------------------------|----------------------------|
# | gf.vish.gg | http://localhost:3300 |
# | ntfy.vish.gg | http://localhost:8081 |
# | hoarder.thevish.io | http://localhost:3000 |
# | binterest.thevish.io | http://localhost:21544 |
#
# 6. Deploy this stack
version: '3.8'
services:
cloudflared:
image: cloudflare/cloudflared:latest
container_name: cloudflare-tunnel
restart: unless-stopped
command: tunnel run
environment:
- TUNNEL_TOKEN=${TUNNEL_TOKEN}
network_mode: host # Needed to access localhost services

18
hosts/vms/homelab-vm/dashdot.yaml Normal file
View File

@@ -0,0 +1,18 @@
# Dashdot - Server dashboard
# Port: 3001
# Modern server dashboard
version: "3.9"
services:
dashdot:
image: mauricenino/dashdot
container_name: dashdot
ports:
- "7512:3001"
volumes:
- "/:/mnt/host:ro"
privileged: true
stdin_open: true # same as -it
tty: true # same as -it
restart: unless-stopped

38
hosts/vms/homelab-vm/ddns.yml Normal file
View File

@@ -0,0 +1,38 @@
# Dynamic DNS Updater
# Updates DNS records when IP changes
version: "3.7"
services:
ddns-updater:
image: qmcgaw/ddns-updater
container_name: ddns-updater
network_mode: bridge
ports:
- 8000:8000/tcp
volumes:
- /home/homelab/docker/ddns/data:/updater/data
environment:
- CONFIG=
- PERIOD=5m
- UPDATE_COOLDOWN_PERIOD=5m
- PUBLICIP_FETCHERS=all
- PUBLICIP_HTTP_PROVIDERS=all
- PUBLICIPV4_HTTP_PROVIDERS=all
- PUBLICIPV6_HTTP_PROVIDERS=all
- PUBLICIP_DNS_PROVIDERS=all
- PUBLICIP_DNS_TIMEOUT=3s
- HTTP_TIMEOUT=10s
# Web UI
- LISTENING_PORT=8000
- ROOT_URL=/
# Backup
- BACKUP_PERIOD=0 # 0 to disable
- BACKUP_DIRECTORY=/updater/data
# Other
- LOG_LEVEL=info
- LOG_CALLER=hidden
- SHOUTRRR_ADDRESSES=
restart: unless-stopped

28
hosts/vms/homelab-vm/diun.yaml Normal file
View File

@@ -0,0 +1,28 @@
# Diun — Docker Image Update Notifier
#
# Watches all running containers on this host and sends ntfy
# notifications when upstream images update their digest.
# Schedule: Mondays 09:00 (weekly cadence).
#
# ntfy topic: https://ntfy.vish.gg/diun
services:
diun:
image: crazymax/diun:latest
container_name: diun
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- diun-data:/data
environment:
LOG_LEVEL: info
DIUN_WATCH_WORKERS: "20"
DIUN_WATCH_SCHEDULE: "0 9 * * 1"
DIUN_WATCH_JITTER: 30s
DIUN_PROVIDERS_DOCKER: "true"
DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT: "true"
DIUN_NOTIF_NTFY_ENDPOINT: "https://ntfy.vish.gg"
DIUN_NOTIF_NTFY_TOPIC: "diun"
restart: unless-stopped
volumes:
diun-data:

15
hosts/vms/homelab-vm/dozzle-agent.yaml Normal file
View File

@@ -0,0 +1,15 @@
services:
dozzle-agent:
image: amir20/dozzle:latest
container_name: dozzle-agent
command: agent
volumes:
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "7007:7007"
restart: unless-stopped
healthcheck:
test: ["CMD", "/dozzle", "healthcheck"]
interval: 30s
timeout: 5s
retries: 3

17
hosts/vms/homelab-vm/drawio.yml Normal file
View File

@@ -0,0 +1,17 @@
# Draw.io - Diagramming tool
# Port: 8080
# Self-hosted diagram editor
version: "3.9"
services:
drawio:
container_name: Draw.io
image: jgraph/drawio
healthcheck:
test: curl -f http://localhost:8080/ || exit 1
mem_limit: 4g
cpu_shares: 768
security_opt:
- no-new-privileges:true
restart: on-failure:5
ports:
- 5022:8080

83
hosts/vms/homelab-vm/fluxer.yaml Normal file
View File

@@ -0,0 +1,83 @@
# Fluxer Chat Server Deployment
# Domain: st.vish.gg
# Replaces: Stoat Chat
# Status: ✅ DEPLOYED SUCCESSFULLY & CAPTCHA ISSUE RESOLVED
## Deployment Summary
- **Date**: 2026-02-15
- **Domain**: st.vish.gg (Cloudflare DNS grey cloud)
- **Location**: /root/fluxer
- **Replaced**: Stoat Chat (services stopped and removed)
- **Status**: Fully operational with user registration working
## Architecture
Fluxer uses a multi-container architecture with the following services:
- **caddy**: Frontend web server serving the React app (port 8088)
- **gateway**: WebSocket gateway for real-time communication
- **api**: REST API backend (internal port 8080)
- **postgres**: Primary database
- **redis**: Caching and session storage
- **cassandra**: Message storage
- **minio**: File storage (S3-compatible)
- **meilisearch**: Search engine
- **livekit**: Voice/video calling (not configured)
- **worker**: Background job processing
- **media**: Media processing service
- **clamav**: Antivirus scanning
- **metrics**: Monitoring and metrics
## Network Configuration
- **External Access**: nginx reverse proxy → Caddy (port 8088) → API (port 8080)
- **Nginx Config**: /etc/nginx/sites-available/fluxer
- **SSL**: Handled by nginx with existing certificates
## Issues Resolved
### 1. Asset Loading (Fixed)
- **Problem**: Frontend was trying to load assets from external CDN
- **Solution**: Modified build configuration to use local assets
### 2. Captcha Verification (Fixed)
- **Problem**: "verify human" captcha not loading, preventing account creation
- **Root Cause**: Using test Turnstile keys causing 400 errors on registration
- **Solution**: Disabled captcha by setting `CAPTCHA_ENABLED=false` in `/root/fluxer/dev/.env`
- **Result**: User registration now works without captcha requirement
## Configuration Files
- **Main Config**: /root/fluxer/dev/compose.yaml
- **Environment**: /root/fluxer/dev/.env
- **Nginx Config**: /etc/nginx/sites-available/fluxer
## Key Environment Variables
```
CAPTCHA_ENABLED=false
CAPTCHA_PRIMARY_PROVIDER=turnstile
TURNSTILE_SITE_KEY=1x00000000000000000000AA (test key)
TURNSTILE_SECRET_KEY=1x0000000000000000000000000000000AA (test key)
```
## Verification
- **API Health**: https://st.vish.gg/api/instance ✅
- **Frontend**: https://st.vish.gg/ ✅
- **Registration**: Working without captcha ✅
- **Test User Created**: ID 1472533637105737729 ✅
## Management Commands
```bash
# Start services
cd /root/fluxer && docker compose -f dev/compose.yaml up -d
# Stop services
cd /root/fluxer && docker compose -f dev/compose.yaml down
# View logs
cd /root/fluxer && docker compose -f dev/compose.yaml logs [service_name]
# Restart API only
cd /root/fluxer && docker compose -f dev/compose.yaml restart api
```
## Notes
- Captcha can be re-enabled later by setting `CAPTCHA_ENABLED=true` and configuring proper Turnstile keys
- Voice/video calling requires LiveKit configuration (currently disabled)
- All data is persisted in Docker volumes
- Service runs in development mode for easier debugging

46
hosts/vms/homelab-vm/fstab.mounts Normal file
View File

@@ -0,0 +1,46 @@
# fstab remote mounts for homelab-vm (192.168.0.210)
# Credentials files (chmod 600, owner root):
# /etc/samba/.atlantis_credentials — vish @ Atlantis + Setillo
# /etc/samba/.calypso_credentials — Vish @ Calypso
# /etc/samba/.setillo_credentials — vish @ Setillo
# /etc/samba/.pi5_credentials — vish @ pi-5
# /etc/samba/.guava_credentials — vish @ Guava (TrueNAS; password has literal \! — not !)
# ── Atlantis (192.168.0.200) - Synology 1823xs+ ──────────────────────────────
# NFS (archive only — only share DSM exports to this host via NFS)
192.168.0.200:/volume1/archive /mnt/repo_atlantis nfs vers=3,_netdev,nofail 0 0
# CIFS
//192.168.0.200/data /mnt/atlantis_data cifs credentials=/etc/samba/.atlantis_credentials,vers=3.0,_netdev,nofail 0 0
//192.168.0.200/docker /mnt/atlantis_docker cifs credentials=/etc/samba/.atlantis_credentials,vers=3.0,_netdev,nofail 0 0
//192.168.0.200/downloads /mnt/atlantis_downloads cifs credentials=/etc/samba/.atlantis_credentials,vers=3.0,_netdev,nofail 0 0
//192.168.0.200/games /mnt/atlantis_games cifs credentials=/etc/samba/.atlantis_credentials,vers=3.0,_netdev,nofail 0 0
//192.168.0.200/torrents /mnt/atlantis_torrents cifs credentials=/etc/samba/.atlantis_credentials,vers=3.0,_netdev,nofail 0 0
//192.168.0.200/usenet /mnt/atlantis_usenet cifs credentials=/etc/samba/.atlantis_credentials,vers=3.0,_netdev,nofail 0 0
//192.168.0.200/website /mnt/atlantis_website cifs credentials=/etc/samba/.atlantis_credentials,vers=3.0,_netdev,nofail 0 0
//192.168.0.200/documents /mnt/atlantis_documents cifs credentials=/etc/samba/.atlantis_credentials,vers=3.0,_netdev,nofail 0 0
# ── Calypso (100.103.48.78) - Synology DS723+ via Tailscale ──────────────────
//100.103.48.78/data /mnt/calypso_data cifs credentials=/etc/samba/.calypso_credentials,vers=3.0,_netdev,nofail 0 0
//100.103.48.78/docker /mnt/calypso_docker cifs credentials=/etc/samba/.calypso_credentials,vers=3.0,_netdev,nofail 0 0
//100.103.48.78/docker2 /mnt/calypso_docker2 cifs credentials=/etc/samba/.calypso_credentials,vers=3.0,_netdev,nofail 0 0
//100.103.48.78/dropboxsync /mnt/calypso_dropboxsync cifs credentials=/etc/samba/.calypso_credentials,vers=3.0,_netdev,nofail 0 0
//100.103.48.78/Files /mnt/calypso_files cifs credentials=/etc/samba/.calypso_credentials,vers=3.0,_netdev,nofail 0 0
//100.103.48.78/netshare /mnt/calypso_netshare cifs credentials=/etc/samba/.calypso_credentials,vers=3.0,_netdev,nofail 0 0
# ── Setillo (100.125.0.20) - Synology DS223j via Tailscale ───────────────────
//100.125.0.20/backups /mnt/setillo_backups cifs credentials=/etc/samba/.setillo_credentials,vers=3.0,_netdev,nofail 0 0
//100.125.0.20/docker /mnt/setillo_docker cifs credentials=/etc/samba/.setillo_credentials,vers=3.0,_netdev,nofail 0 0
//100.125.0.20/PlexMediaServer /mnt/setillo_plex cifs credentials=/etc/samba/.setillo_credentials,vers=3.0,_netdev,nofail 0 0
//100.125.0.20/syncthing /mnt/setillo_syncthing cifs credentials=/etc/samba/.setillo_credentials,vers=3.0,_netdev,nofail 0 0
# ── pi-5 / rpi5-vish (192.168.0.66) - Raspberry Pi 5 ────────────────────────
//192.168.0.66/storagepool /mnt/pi5_storagepool cifs credentials=/etc/samba/.pi5_credentials,vers=3.0,_netdev,nofail 0 0
# ── Guava (100.75.252.64) - TrueNAS SCALE via Tailscale ──────────────────────
//100.75.252.64/photos /mnt/guava_photos cifs credentials=/etc/samba/.guava_credentials,vers=3.0,_netdev,nofail 0 0
//100.75.252.64/data /mnt/guava_data cifs credentials=/etc/samba/.guava_credentials,vers=3.0,_netdev,nofail 0 0
//100.75.252.64/guava_turquoise /mnt/guava_turquoise cifs credentials=/etc/samba/.guava_credentials,vers=3.0,_netdev,nofail 0 0
//100.75.252.64/website /mnt/guava_website cifs credentials=/etc/samba/.guava_credentials,vers=3.0,_netdev,nofail 0 0
//100.75.252.64/jellyfin /mnt/guava_jellyfin cifs credentials=/etc/samba/.guava_credentials,vers=3.0,_netdev,nofail 0 0
//100.75.252.64/truenas-exporters /mnt/guava_exporters cifs credentials=/etc/samba/.guava_credentials,vers=3.0,_netdev,nofail 0 0
//100.75.252.64/iso /mnt/guava_iso cifs credentials=/etc/samba/.guava_credentials,vers=3.0,_netdev,nofail 0 0

20
hosts/vms/homelab-vm/gitea-ntfy-bridge.yaml Normal file
View File

@@ -0,0 +1,20 @@
# Gitea to ntfy Webhook Bridge
# Receives Gitea webhooks and forwards formatted messages to ntfy
# Port: 8095 (internal)
#
# Usage: Add webhook in Gitea pointing to http://192.168.0.210:8095/webhook
# Target ntfy topic: homelab-alerts
services:
gitea-ntfy-bridge:
image: python:3.12-alpine
container_name: gitea-ntfy-bridge
environment:
- NTFY_URL=https://ntfy.vish.gg
- NTFY_TOPIC="REDACTED_NTFY_TOPIC"
ports:
- "8095:8095"
volumes:
- ./gitea-ntfy-bridge:/app:ro
command: ["python", "/app/bridge.py"]
restart: unless-stopped

140
hosts/vms/homelab-vm/gitea-ntfy-bridge/bridge.py Normal file
View File

@@ -0,0 +1,140 @@
#!/usr/bin/env python3
"""Gitea to ntfy Webhook Bridge - Translates Gitea events to ntfy notifications"""
import os
import sys
import json
import urllib.request
from http.server import HTTPServer, BaseHTTPRequestHandler
# Force unbuffered output
sys.stdout = os.fdopen(sys.stdout.fileno(), 'w', buffering=1)
sys.stderr = os.fdopen(sys.stderr.fileno(), 'w', buffering=1)
NTFY_URL = os.environ.get("NTFY_URL", "https://ntfy.vish.gg")
NTFY_TOPIC = os.environ.get("NTFY_TOPIC", "homelab-alerts")
class WebhookHandler(BaseHTTPRequestHandler):
def do_GET(self):
"""Health check endpoint"""
self.send_response(200)
self.send_header("Content-type", "text/plain")
self.end_headers()
self.wfile.write(b"Gitea-ntfy bridge OK\n")
print(f"Health check from {self.client_address[0]}", flush=True)
def do_POST(self):
content_length = int(self.headers.get("Content-Length", 0))
body = self.rfile.read(content_length)
try:
data = json.loads(body) if body else {}
event_type = self.headers.get("X-Gitea-Event", "unknown")
print(f"Received {event_type} event from {self.client_address[0]}", flush=True)
title, message, tags, priority = self.format_message(event_type, data)
if title and message:
print(f"Sending notification: {title}", flush=True)
self.send_ntfy(title, message, tags, priority)
self.send_response(200)
else:
print(f"Ignoring event type: {event_type}", flush=True)
self.send_response(204) # No content to send
except Exception as e:
print(f"Error processing webhook: {e}", flush=True)
self.send_response(500)
self.end_headers()
def format_message(self, event_type, data):
"""Format Gitea event into ntfy message"""
repo = data.get("repository", {}).get("full_name", "unknown")
sender = data.get("sender", {}).get("login", "unknown")
title = None
message = None
tags = "git"
priority = "default"
if event_type == "push":
commits = data.get("commits", [])
branch = data.get("ref", "").replace("refs/heads/", "")
count = len(commits)
title = f"Push to {repo}"
message = f"{sender} pushed {count} commit(s) to {branch}"
if commits:
message += f"\n\n* {commits[0].get('message', '').split(chr(10))[0]}"
if count > 1:
message += f"\n* ... and {count - 1} more"
tags = "package"
elif event_type == "pull_request":
action = data.get("action", "")
pr = data.get("pull_request", {})
pr_title = pr.get("title", "")
pr_num = pr.get("number", "")
title = f"PR #{pr_num} {action}"
message = f"{repo}: {pr_title}\nBy: {sender}"
tags = "twisted_rightwards_arrows"
if action == "opened":
priority = "high"
elif event_type == "issues":
action = data.get("action", "")
issue = data.get("issue", {})
issue_title = issue.get("title", "")
issue_num = issue.get("number", "")
title = f"Issue #{issue_num} {action}"
message = f"{repo}: {issue_title}\nBy: {sender}"
tags = "clipboard"
elif event_type == "release":
action = data.get("action", "")
release = data.get("release", {})
tag = release.get("tag_name", "")
title = f"Release {tag}"
message = f"{repo}: New release {action}\n{release.get('name', tag)}"
tags = "rocket"
priority = "high"
elif event_type == "create":
ref_type = data.get("ref_type", "")
ref = data.get("ref", "")
title = f"New {ref_type}: {ref}"
message = f"{repo}\nCreated by: {sender}"
tags = "sparkles"
elif event_type == "delete":
ref_type = data.get("ref_type", "")
ref = data.get("ref", "")
title = f"Deleted {ref_type}: {ref}"
message = f"{repo}\nDeleted by: {sender}"
tags = "wastebasket"
return title, message, tags, priority
def send_ntfy(self, title, message, tags="git", priority="default"):
"""Send notification to ntfy"""
url = f"{NTFY_URL}/{NTFY_TOPIC}"
headers = {
"Title": title,
"Tags": tags,
"Priority": priority,
}
req = urllib.request.Request(url, data=message.encode('utf-8'), headers=headers, method="POST")
try:
with urllib.request.urlopen(req, timeout=10) as resp:
print(f"Sent: {title} -> {resp.status}")
except Exception as e:
print(f"Failed to send ntfy: {e}")
def log_message(self, format, *args):
print(f"[{self.log_date_time_string()}] {format % args}")
if __name__ == "__main__":
server = HTTPServer(("0.0.0.0", 8095), WebhookHandler)
print(f"Gitea-ntfy bridge running on :8095 -> {NTFY_URL}/{NTFY_TOPIC}")
server.serve_forever()

18
hosts/vms/homelab-vm/gotify.yml Normal file
View File

@@ -0,0 +1,18 @@
# Gotify - Push notifications
# Port: 8070
# Self-hosted push notification server
version: '3.9'
services:
gotify:
image: ghcr.io/gotify/server:latest
container_name: Gotify
restart: on-failure:5
ports:
- 8081:80
volumes:
- /home/homelab/docker/gotify:/app/data:rw
environment:
GOTIFY_DEFAULTUSER_NAME: vish
GOTIFY_DEFAULTUSER_PASS: "REDACTED_PASSWORD"
TZ: America/Los_Angeles

42
hosts/vms/homelab-vm/hoarder.yaml Normal file
View File

@@ -0,0 +1,42 @@
# Hoarder/Karakeep - Bookmark manager
# Port: 3000
# AI-powered bookmark and note manager
services:
web:
image: ghcr.io/hoarder-app/hoarder:${HOARDER_VERSION:-release}
restart: unless-stopped
volumes:
- /home/homelab/docker/hoarder/data:/data
ports:
- 3482:3000
environment:
MEILI_ADDR: http://meilisearch:7700
BROWSER_WEB_URL: http://chrome:9222
OPENAI_API_KEY: "REDACTED_API_KEY"
DATA_DIR: /data
NEXTAUTH_SECRET: "REDACTED_NEXTAUTH_SECRET"
MEILI_MASTER_KEY: ${MEILI_MASTER_KEY}
chrome:
image: gcr.io/zenika-hub/alpine-chrome:123
restart: unless-stopped
command:
- chromium-browser
- --no-sandbox
- --disable-gpu
- --disable-dev-shm-usage
- --remote-debugging-address=0.0.0.0
- --remote-debugging-port=9222
- --hide-scrollbars
ports:
- 9222:9222 # optional, for debugging
meilisearch:
image: getmeili/meilisearch:v1.6
restart: unless-stopped
environment:
MEILI_NO_ANALYTICS: "true"
volumes:
- /root/docker/hoarder/meilisearch:/meili_data
volumes:
meilisearch:
data:

18
hosts/vms/homelab-vm/l4d2_docker.yaml Normal file
View File

@@ -0,0 +1,18 @@
# Left 4 Dead 2 - Game server
# Port: 27015
# L4D2 dedicated game server
version: '3.4'
services:
linuxgsm-l4d2:
image: gameservermanagers/gameserver:l4d2
# image: ghcr.io/gameservermanagers/gameserver:csgo
container_name: l4d2server
volumes:
- /home/homelab/docker/l4d2:/data
ports:
- "27015:27015/tcp"
- "27015:27015/udp"
- "27020:27020/udp"
- "27005:27005/udp"
restart: unless-stopped

23
hosts/vms/homelab-vm/libreddit.yaml Normal file
View File

@@ -0,0 +1,23 @@
# Redlib - Reddit frontend (maintained fork of Libreddit)
# Port: 9000
# Privacy-respecting Reddit frontend
# NOTE: Reddit actively blocks these frontends. May return 403 errors.
# See: https://github.com/redlib-org/redlib/issues
services:
redlib:
image: quay.io/redlib/redlib:latest
container_name: Redlib
hostname: redlib
mem_limit: 2g
cpu_shares: 768
security_opt:
- no-new-privileges:true
read_only: true
healthcheck:
test: ["CMD", "wget", "--spider", "-q", "--tries=1", "http://localhost:8080/settings"]
interval: 30s
timeout: 5s
ports:
- 9000:8080
restart: on-failure:5

61
hosts/vms/homelab-vm/mattermost.yml Normal file
View File

@@ -0,0 +1,61 @@
# Mattermost - Team collaboration
# Port: 8065
# Self-hosted Slack alternative
# DB: host postgres (172.17.0.1:5432) — not containerized
# Compose file lives on host at: /opt/mattermost/docker-compose.yml
services:
mattermost:
image: mattermost/mattermost-team-edition:11.4
container_name: mattermost
restart: unless-stopped
security_opt:
- no-new-privileges:true
pids_limit: 200
read_only: false
tmpfs:
- /tmp
ports:
- "8065:8065"
environment:
TZ: UTC
MM_SQLSETTINGS_DRIVERNAME: postgres
MM_SQLSETTINGS_DATASOURCE: "postgres://mmuser:${MM_DB_PASSWORD}@172.17.0.1:5432/mattermost?sslmode=disable&connect_timeout=10" # pragma: allowlist secret
MM_SERVICESETTINGS_SITEURL: https://mm.crista.love
MM_SERVICESETTINGS_LISTENADDRESS: ":8065"
MM_FILESETTINGS_DRIVERNAME: local
MM_FILESETTINGS_DIRECTORY: /mattermost/data
MM_LOGSETTINGS_CONSOLELEVEL: INFO
MM_LOGSETTINGS_FILELEVEL: INFO
MM_EMAILSETTINGS_ENABLESMTPAUTH: "true"
MM_EMAILSETTINGS_SMTPSERVER: smtp.gmail.com
MM_EMAILSETTINGS_SMTPPORT: "587"
MM_EMAILSETTINGS_CONNECTIONSECURITY: STARTTLS
MM_EMAILSETTINGS_SMTPUSERNAME: ${MM_SMTP_USERNAME} # set in .env
MM_EMAILSETTINGS_FEEDBACKEMAIL: ${MM_FEEDBACK_EMAIL} # set in .env
MM_EMAILSETTINGS_FEEDBACKNAME: Mattermost
MM_EMAILSETTINGS_SENDEMAILNOTIFICATIONS: "true"
MM_TEAMSETTINGS_ENABLEOPENSERVER: "true"
MM_TEAMSETTINGS_MAXUSERSPERTEAM: "50"
# Authentik OAuth2 via GitLab-compatible provider (works with Team Edition)
MM_GITLABSETTINGS_ENABLE: "true"
MM_GITLABSETTINGS_ID: ${MM_OAUTH_CLIENT_ID} # set in .env
MM_GITLABSETTINGS_SECRET: ${MM_OAUTH_CLIENT_SECRET} # set in .env # pragma: allowlist secret
MM_GITLABSETTINGS_SCOPE: "openid profile email"
MM_GITLABSETTINGS_AUTHENDPOINT: "https://sso.vish.gg/application/o/authorize/"
MM_GITLABSETTINGS_TOKENENDPOINT: "https://sso.vish.gg/application/o/token/"
MM_GITLABSETTINGS_USERAPIENDPOINT: "https://sso.vish.gg/application/o/userinfo/"
MM_GITLABSETTINGS_BUTTONTEXTCOLOR: "#FFFFFF"
MM_GITLABSETTINGS_BUTTONCOLOR: "#fd4b2d"
env_file:
- .env
volumes:
- /opt/mattermost/config:/mattermost/config:rw
- /opt/mattermost/data:/mattermost/data:rw
- /opt/mattermost/logs:/mattermost/logs:rw
- /opt/mattermost/plugins:/mattermost/plugins:rw
- /opt/mattermost/client-plugins:/mattermost/client/plugins:rw
# No custom healthcheck needed — the image provides one via:
# CMD /mattermost/bin/mmctl system status --local
extra_hosts:
- "host.docker.internal:host-gateway"

64
hosts/vms/homelab-vm/monitoring-compose.yml Normal file
View File

@@ -0,0 +1,64 @@
# Prometheus + Grafana Monitoring Stack - LIVE DEPLOYMENT
# =============================================================================
# This is the actual running compose at /home/homelab/docker/monitoring/
# Deployed directly with docker compose, NOT via Portainer.
#
# Config files are bind-mounted from the same directory:
# ./prometheus/prometheus.yml - scrape config + alerting rules reference
# ./prometheus/alert-rules.yml - alerting rules
# ./grafana/provisioning/ - datasources + dashboard provisioning
#
# To redeploy: docker compose -f this file up -d (from /home/homelab/docker/monitoring/)
# To reload Prometheus config without restart: curl -X POST http://localhost:9090/-/reload
#
# See monitoring.yaml for the self-contained Portainer GitOps version (embedded configs).
# =============================================================================
version: "3.8"
services:
prometheus:
image: prom/prometheus:latest
container_name: prometheus
volumes:
- ./prometheus:/etc/prometheus
- prometheus-data:/prometheus
command:
- "--config.file=/etc/prometheus/prometheus.yml"
- "--storage.tsdb.path=/prometheus"
- "--web.enable-lifecycle"
ports:
- "9090:9090"
restart: unless-stopped
grafana:
image: grafana/grafana-oss:latest
container_name: grafana
environment:
- GF_SECURITY_ADMIN_USER=admin
- GF_SECURITY_ADMIN_PASSWORD="REDACTED_PASSWORD"
volumes:
- grafana-data:/var/lib/grafana
- ./grafana/provisioning/datasources:/etc/grafana/provisioning/datasources
- ./grafana/provisioning/dashboards:/etc/grafana/provisioning/dashboards
- ./grafana/dashboards:/var/lib/grafana/dashboards
ports:
- "3300:3000"
restart: unless-stopped
node_exporter:
image: prom/node-exporter:latest
container_name: node_exporter
network_mode: host
pid: host
volumes:
- /:/host:ro,rslave
- /sys:/host/sys:ro
- /proc:/host/proc:ro
command:
- '--path.rootfs=/host'
restart: unless-stopped
volumes:
prometheus-data:
grafana-data:

1052
hosts/vms/homelab-vm/monitoring.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

13
hosts/vms/homelab-vm/node-exporter.yml Normal file
View File

@@ -0,0 +1,13 @@
# Node Exporter - Metrics
# Port: 9100
# Prometheus hardware/OS metrics
version: '3.8'
services:
node-exporter:
image: prom/node-exporter:latest
container_name: node-exporter
restart: unless-stopped
ports:
- "9100:9100"

43
hosts/vms/homelab-vm/ntfy.yaml Normal file
View File

@@ -0,0 +1,43 @@
# ntfy - Push notifications
# Port: 8081 - ntfy server
# Port: 8095 - Gitea webhook bridge
# Simple pub-sub notification service with Gitea integration
version: "3.9"
services:
ntfy:
image: binwiederhier/ntfy
container_name: NTFY
command:
- serve
environment:
- TZ=America/Los_Angeles
volumes:
- /home/homelab/docker/ntfy:/var/cache/ntfy:rw
- /home/homelab/docker/ntfy/config:/etc/ntfy:rw
healthcheck:
test: ["CMD-SHELL", "wget -q --tries=1 http://localhost:80/v1/health -O - | grep -Eo '\"healthy\"\\s*:\\s*true' || exit 1"]
interval: 60s
timeout: 10s
retries: 3
start_period: 40s
ports:
- 8081:80 # Exposing on port 8081
restart: on-failure:5
gitea-ntfy-bridge:
image: python:3.12-alpine
container_name: gitea-ntfy-bridge
environment:
- NTFY_URL=https://ntfy.vish.gg
- NTFY_TOPIC="REDACTED_NTFY_TOPIC"
- TZ=America/Los_Angeles
- PYTHONUNBUFFERED=1
ports:
- "8095:8095"
volumes:
- /home/homelab/docker/gitea-ntfy-bridge:/app:ro
command: ["python", "-u", "/app/bridge.py"]
restart: unless-stopped
depends_on:
- ntfy

374
hosts/vms/homelab-vm/ntfy/server.yml Normal file
View File

@@ -0,0 +1,374 @@
# ntfy server config file
#
# Please refer to the documentation at https://ntfy.sh/REDACTED_TOPIC/config/ for details.
# All options also support underscores (_) instead of dashes (-) to comply with the YAML spec.
# Public facing base URL of the service (e.g. https://ntfy.sh or https://ntfy.example.com)
#
# This setting is required for any of the following features:
# - attachments (to return a download URL)
# - e-mail sending (for the topic URL in the email footer)
# - iOS push notifications for self-hosted servers (to calculate the Firebase poll_request topic)
# - Matrix Push Gateway (to validate that the pushkey is correct)
#
#
base-url: "https://ntfy.vish.gg"
# Listen address for the HTTP & HTTPS web server. If "listen-https" is set, you must also
# set "key-file" and "cert-file". Format: [<ip>]:<port>, e.g. "1.2.3.4:8080".
#
# To listen on all interfaces, you may omit the IP address, e.g. ":443".
# To disable HTTP, set "listen-http" to "-".
#
# listen-http: ":80"
# listen-https:
# Listen on a Unix socket, e.g. /var/lib/ntfy/ntfy.sock
# This can be useful to avoid port issues on local systems, and to simplify permissions.
#
# listen-unix: <socket-path>
# listen-unix-mode: <linux permissions, e.g. 0700>
# Path to the private key & cert file for the HTTPS web server. Not used if "listen-https" is not set.
#
# key-file: <filename>
# cert-file: <filename>
# If set, also publish messages to a Firebase Cloud Messaging (FCM) topic for your app.
# This is optional and only required to save battery when using the Android app.
#
# firebase-key-file: <filename>
# If "cache-file" is set, messages are cached in a local SQLite database instead of only in-memory.
# This allows for service restarts without losing messages in support of the since= parameter.
#
# The "cache-duration" parameter defines the duration for which messages will be buffered
# before they are deleted. This is required to support the "since=..." and "poll=1" parameter.
# To disable the cache entirely (on-disk/in-memory), set "cache-duration" to 0.
# The cache file is created automatically, provided that the correct permissions are set.
#
# The "cache-startup-queries" parameter allows you to run commands when the database is initialized,
# e.g. to enable WAL mode (see https://phiresky.github.io/blog/2020/sqlite-performance-tuning/)).
# Example:
# cache-startup-queries: |
# pragma journal_mode = WAL;
# pragma synchronous = normal;
# pragma temp_store = memory;
# pragma busy_timeout = 15000;
# vacuum;
#
# The "cache-batch-size" and "cache-batch-timeout" parameter allow enabling async batch writing
# of messages. If set, messages will be queued and written to the database in batches of the given
# size, or after the given timeout. This is only required for high volume servers.
#
# Debian/RPM package users:
# Use /var/cache/ntfy/cache.db as cache file to avoid permission issues. The package
# creates this folder for you.
#
# Check your permissions:
# If you are running ntfy with systemd, make sure this cache file is owned by the
# ntfy user and group by running: chown ntfy.ntfy <filename>.
#
# cache-file: <filename>
# cache-duration: "12h"
# cache-startup-queries:
# cache-batch-size: 0
# cache-batch-timeout: "0ms"
# If set, access to the ntfy server and API can be controlled on a granular level using
# the 'ntfy user' and 'ntfy access' commands. See the --help pages for details, or check the docs.
#
# - auth-file is the SQLite user/access database; it is created automatically if it doesn't already exist
# - auth-default-access defines the default/fallback access if no access control entry is found; it can be
# set to "read-write" (default), "read-only", "write-only" or "deny-all".
# - auth-startup-queries allows you to run commands when the database is initialized, e.g. to enable
# WAL mode. This is similar to cache-startup-queries. See above for details.
#
# Debian/RPM package users:
# Use /var/lib/ntfy/user.db as user database to avoid permission issues. The package
# creates this folder for you.
#
# Check your permissions:
# If you are running ntfy with systemd, REDACTED_APP_PASSWORD database file is owned by the
# ntfy user and group by running: chown ntfy.ntfy <filename>.
#
# auth-file: <filename>
# auth-default-access: "read-write"
# auth-startup-queries:
# If set, the X-Forwarded-For header is used to determine the visitor IP address
# instead of the remote address of the connection.
#
# WARNING: If you are behind a proxy, you must set this, otherwise all visitors are rate limited
# as if they are one.
#
# behind-proxy: false
# If enabled, clients can attach files to notifications as attachments. Minimum settings to enable attachments
# are "attachment-cache-dir" and "base-url".
#
# - attachment-cache-dir is the cache directory for attached files
# - attachment-total-size-limit is the limit of the on-disk attachment cache directory (total size)
# - attachment-file-size-limit is the per-file attachment size limit (e.g. 300k, 2M, 100M)
# - attachment-expiry-duration is the duration after which uploaded attachments will be deleted (e.g. 3h, 20h)
#
# attachment-cache-dir:
# attachment-total-size-limit: "5G"
# attachment-file-size-limit: "15M"
# attachment-expiry-duration: "3h"
# If enabled, allow outgoing e-mail notifications via the 'X-Email' header. If this header is set,
# messages will additionally be sent out as e-mail using an external SMTP server.
#
# As of today, only SMTP servers with plain text auth (or no auth at all), and STARTLS are supported.
# Please also refer to the rate limiting settings below (visitor-email-limit-burst & visitor-email-limit-burst).
#
# - smtp-sender-addr is the hostname:port of the SMTP server
# - smtp-sender-from is the e-mail address of the sender
# - smtp-sender-user/smtp-sender-pass are the username and password of the SMTP user (leave blank for no auth)
#
# smtp-sender-addr:
# smtp-sender-from:
# smtp-sender-user:
# smtp-sender-pass:
# If enabled, ntfy will launch a lightweight SMTP server for incoming messages. Once configured, users can send
# emails to a topic e-mail address to publish messages to a topic.
#
# - smtp-server-listen defines the IP address and port the SMTP server will listen on, e.g. :25 or 1.2.3.4:25
# - smtp-server-domain is the e-mail domain, e.g. ntfy.sh
# - smtp-server-addr-prefix is an optional prefix for the e-mail addresses to prevent spam. If set to "ntfy-",
# for instance, only e-mails to ntfy-$topic@ntfy.sh will be accepted. If this is not set, all emails to
# $topic@ntfy.sh will be accepted (which may obviously be a spam problem).
#
# smtp-server-listen:
# smtp-server-domain:
# smtp-server-addr-prefix:
# Web Push support (background notifications for browsers)
#
# If enabled, allows ntfy to receive push notifications, even when the ntfy web app is closed. When enabled, users
# can enable background notifications in the web app. Once enabled, ntfy will forward published messages to the push
# endpoint, which will then forward it to the browser.
#
# You must configure web-push-public/private key, web-push-file, and web-push-email-address below to enable Web Push.
# Run "ntfy webpush keys" to generate the keys.
#
# - web-push-public-key is the generated VAPID public key, e.g. AA1234BBCCddvveekaabcdfqwertyuiopasdfghjklzxcvbnm1234567890
# - web-push-private-key is the generated VAPID private key, e.g. AA2BB1234567890abcdefzxcvbnm1234567890
# - web-push-file is a database file to keep track of browser subscription endpoints, e.g. `/var/cache/ntfy/webpush.db`
# - web-push-email-address is the admin email address send to the push provider, e.g. `sysadmin@example.com`
# - web-push-startup-queries is an optional list of queries to run on startup`
#
# web-push-public-key:
# web-push-private-key:
# web-push-file:
# web-push-email-address:
# web-push-startup-queries:
# If enabled, ntfy can perform voice calls via Twilio via the "X-Call" header.
#
# - twilio-account is the Twilio account SID, e.g. AC12345beefbeef67890beefbeef122586
# - twilio-auth-token is the Twilio auth token, e.g. affebeef258625862586258625862586
# - twilio-phone-number is the outgoing phone number you purchased, e.g. REDACTED_PHONE_NUMBER
# - twilio-verify-service is the Twilio Verify service SID, e.g. VA12345beefbeef67890beefbeef122586
#
# twilio-account:
# twilio-auth-token:
# twilio-phone-number:
# twilio-verify-service:
# Interval in which keepalive messages are sent to the client. This is to prevent
# intermediaries closing the connection for inactivity.
#
# Note that the Android app has a hardcoded timeout at 77s, so it should be less than that.
#
# keepalive-interval: "45s"
# Interval in which the manager prunes old messages, deletes topics
# and prints the stats.
#
# manager-interval: "1m"
# Defines topic names that are not allowed, because they are otherwise used. There are a few default topics
# that cannot be used (e.g. app, account, settings, ...). To extend the default list, define them here.
#
# Example:
# disallowed-topics:
# - about
# - pricing
# - contact
#
# disallowed-topics:
# Defines the root path of the web app, or disables the web app entirely.
#
# Can be any simple path, e.g. "/", "/app", or "/ntfy". For backwards-compatibility reasons,
# the values "app" (maps to "/"), "home" (maps to "/app"), or "disable" (maps to "") to disable
# the web app entirely.
#
# web-root: /
# Various feature flags used to control the web app, and API access, mainly around user and
# account management.
#
# - enable-signup allows users to sign up via the web app, or API
# - enable-login allows users to log in via the web app, or API
# - enable-reservations allows users to reserve topics (if their tier allows it)
#
# enable-signup: false
# enable-login: false
# enable-reservations: false
# Server URL of a Firebase/APNS-connected ntfy server (likely "https://ntfy.sh").
#
# iOS users:
# If you use the iOS ntfy app, you MUST configure this to receive timely notifications. You'll like want this:
#
upstream-base-url: "https://ntfy.sh"
#
# If set, all incoming messages will publish a "poll_request" message to the configured upstream server, containing
# the message ID of the original message, instructing the iOS app to poll this server for the actual message contents.
# This is to prevent the upstream server and Firebase/APNS from being able to read the message.
#
# - upstream-base-url is the base URL of the upstream server. Should be "https://ntfy.sh".
# - upstream-access-token is the token used to authenticate with the upstream server. This is only required
# if you exceed the upstream rate limits, or the uptream server requires authentication.
#
# upstream-base-url:
# upstream-access-token:
# Configures message-specific limits
#
# - message-size-limit defines the max size of a message body. Please note message sizes >4K are NOT RECOMMENDED,
# and largely untested. If FCM and/or APNS is used, the limit should stay 4K, because their limits are around that size.
# If you increase this size limit regardless, FCM and APNS will NOT work for large messages.
# - message-delay-limit defines the max delay of a message when using the "Delay" header.
#
# message-size-limit: "4k"
# message-delay-limit: "3d"
# Rate limiting: Total number of topics before the server rejects new topics.
#
# global-topic-limit: 15000
# Rate limiting: Number of subscriptions per visitor (IP address)
#
# visitor-subscription-limit: 30
# Rate limiting: Allowed GET/PUT/POST requests per second, per visitor:
# - visitor-request-limit-burst is the initial bucket of requests each visitor has
# - visitor-request-limit-replenish is the rate at which the bucket is refilled
# - visitor-request-limit-exempt-hosts is a comma-separated list of hostnames, IPs or CIDRs to be
# exempt from request rate limiting. Hostnames are resolved at the time the server is started.
# Example: "1.2.3.4,ntfy.example.com,8.7.6.0/24"
#
# visitor-request-limit-burst: 60
# visitor-request-limit-replenish: "5s"
# visitor-request-limit-exempt-hosts: ""
# Rate limiting: Hard daily limit of messages per visitor and day. The limit is reset
# every day at midnight UTC. If the limit is not set (or set to zero), the request
# limit (see above) governs the upper limit.
#
# visitor-message-daily-limit: 0
# Rate limiting: Allowed emails per visitor:
# - visitor-email-limit-burst is the initial bucket of emails each visitor has
# - visitor-email-limit-replenish is the rate at which the bucket is refilled
#
# visitor-email-limit-burst: 16
# visitor-email-limit-replenish: "1h"
# Rate limiting: Attachment size and bandwidth limits per visitor:
# - visitor-attachment-total-size-limit is the total storage limit used for attachments per visitor
# - visitor-attachment-daily-bandwidth-limit is the total daily attachment download/upload traffic limit per visitor
#
# visitor-attachment-total-size-limit: "100M"
# visitor-attachment-daily-bandwidth-limit: "500M"
# Rate limiting: Enable subscriber-based rate limiting (mostly used for UnifiedPush)
#
# If subscriber-based rate limiting is enabled, messages published on UnifiedPush topics** (topics starting with "up")
# will be counted towards the "rate visitor" of the topic. A "rate visitor" is the first subscriber to the topic.
#
# Once enabled, a client subscribing to UnifiedPush topics via HTTP stream, or websockets, will be automatically registered as
# a "rate visitor", i.e. the visitor whose rate limits will be used when publishing on this topic. Note that setting the rate visitor
# requires **read-write permission** on the topic.
#
# If this setting is enabled, publishing to UnifiedPush topics will lead to a HTTP 507 response if
# no "rate visitor" has been previously registered. This is to avoid burning the publisher's "visitor-message-daily-limit".
#
# visitor-subscriber-rate-limiting: false
# Payments integration via Stripe
#
# - stripe-secret-key is the key used for the Stripe API communication. Setting this values
# enables payments in the ntfy web app (e.g. Upgrade dialog). See https://dashboard.stripe.com/apikeys.
# - stripe-webhook-key is the key required to validate the authenticity of incoming webhooks from Stripe.
# Webhooks are essential up keep the local database in sync with the payment provider. See https://dashboard.stripe.com/webhooks.
# - billing-contact is an email address or website displayed in the "Upgrade tier" dialog to let people reach
# out with billing questions. If unset, nothing will be displayed.
#
# stripe-secret-key:
# stripe-webhook-key:
# billing-contact:
# Metrics
#
# ntfy can expose Prometheus-style metrics via a /metrics endpoint, or on a dedicated listen IP/port.
# Metrics may be considered sensitive information, so before you enable them, be sure you know what you are
# doing, and/or secure access to the endpoint in your reverse proxy.
#
# - enable-metrics enables the /metrics endpoint for the default ntfy server (i.e. HTTP, HTTPS and/or Unix socket)
# - metrics-listen-http exposes the metrics endpoint via a dedicated [IP]:port. If set, this option implicitly
# enables metrics as well, e.g. "10.0.1.1:9090" or ":9090"
#
# enable-metrics: false
# metrics-listen-http:
# Profiling
#
# ntfy can expose Go's net/http/pprof endpoints to support profiling of the ntfy server. If enabled, ntfy will listen
# on a dedicated listen IP/port, which can be accessed via the web browser on http://<ip>:<port>/debug/pprof/.
# This can be helpful to expose bottlenecks, and visualize call flows. See https://pkg.go.dev/net/http/pprof for details.
#
# profile-listen-http:
# Logging options
#
# By default, ntfy logs to the console (stderr), with an "info" log level, and in a human-readable text format.
# ntfy supports five different log levels, can also write to a file, log as JSON, and even supports granular
# log level overrides for easier debugging. Some options (log-level and log-level-overrides) can be hot reloaded
# by calling "kill -HUP $pid" or "systemctl reload ntfy".
#
# - log-format defines the output format, can be "text" (default) or "json"
# - log-file is a filename to write logs to. If this is not set, ntfy logs to stderr.
# - log-level defines the default log level, can be one of "trace", "debug", "info" (default), "warn" or "error".
# Be aware that "debug" (and particularly "trace") can be VERY CHATTY. Only turn them on briefly for debugging purposes.
# - log-level-overrides lets you override the log level if certain fields match. This is incredibly powerful
# for debugging certain parts of the system (e.g. only the account management, or only a certain visitor).
# This is an array of strings in the format:
# - "field=value -> level" to match a value exactly, e.g. "tag=manager -> trace"
# - "field -> level" to match any value, e.g. "time_taken_ms -> debug"
# Warning: Using log-level-overrides has a performance penalty. Only use it for temporary debugging.
#
# Check your permissions:
# If you are running ntfy with systemd, make sure this log file is owned by the
# ntfy user and group by running: chown ntfy.ntfy <filename>.
#
# Example (good for production):
# log-level: info
# log-format: json
# log-file: /var/log/ntfy.log
#
# Example level overrides (for debugging, only use temporarily):
# log-level-overrides:
# - "tag=manager -> trace"
# - "visitor_ip=1.2.3.4 -> debug"
# - "time_taken_ms -> debug"
#
# log-level: info
# log-level-overrides:
# log-format: text
# log-file:

12
hosts/vms/homelab-vm/openai_whisper.txt Normal file
View File

@@ -0,0 +1,12 @@
/home/youruser/whisper-docker/
├── docker-compose.yml
├── Dockerfile
├── audio/ <-- this is ./audio on the host
│ ├── sample.mp3
└── models/
mkdir audio
cp ~/Downloads/myfile.mp3 audio/
docker compose run --rm whisper myfile.mp3 --model small --fp16 False
sudo docker compose run --rm whisper tape4.mp4 --model small --fp16 False --language en

41
hosts/vms/homelab-vm/openhands.yaml Normal file
View File

@@ -0,0 +1,41 @@
# OpenHands - AI Software Development Agent
# Port: 3001
# Docs: https://docs.openhands.dev
# LLM: Claude Sonnet 4
version: '3.8'
services:
openhands:
image: docker.openhands.dev/openhands/openhands:1.1
container_name: openhands-app
ports:
- "3001:3000"
extra_hosts:
- "host.docker.internal:host-gateway"
environment:
# LLM Configuration
- LLM_API_KEY=${ANTHROPIC_API_KEY}
- LLM_MODEL=anthropic/claude-sonnet-4-20250514
# Sandbox Configuration
- SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.openhands.dev/openhands/runtime:1.1-nikolaik
- LOG_ALL_EVENTS=true
- RUN_AS_OPENHANDS=true
- OPENHANDS_USER_ID=42420
# Use docker bridge gateway IP so runtime containers can reach the main container
- SANDBOX_LOCAL_RUNTIME_URL=http://172.17.0.1
- USE_HOST_NETWORK=false
- WORKSPACE_BASE=/opt/workspace_base
- SANDBOX_USER_ID=0
- FILE_STORE=local
- FILE_STORE_PATH=/.openhands
- INIT_GIT_IN_EMPTY_WORKSPACE=1
# Disable default MCP (runtime can't resolve host.docker.internal)
- DISABLE_DEFAULT_MCP=true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- openhands-data:/.openhands
restart: unless-stopped
volumes:
openhands-data:

41
hosts/vms/homelab-vm/openproject.yml Normal file
View File

@@ -0,0 +1,41 @@
# OpenProject - Project management
# Port: 8080
# Open source project management
version: "3.8"
services:
db:
image: postgres:16
container_name: openproject-db
restart: unless-stopped
environment:
POSTGRES_USER: openproject
POSTGRES_PASSWORD: "REDACTED_PASSWORD"
POSTGRES_DB: openproject
volumes:
- /home/homelab/docker/openproject/postgres:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U openproject -d openproject"]
interval: 30s
timeout: 5s
retries: 5
openproject:
image: openproject/openproject:16.0.0-slim
container_name: openproject
restart: unless-stopped
depends_on:
db:
condition: service_healthy
ports:
- "8083:8080"
environment:
OPENPROJECT_HOST__NAME: "homelab.vish.local" # 👈 replace with homelabs LAN IP
OPENPROJECT_DISABLE__HOST__NAME__CHECK: "true"
OPENPROJECT_HTTPS: "false"
OPENPROJECT_SECRET_KEY_BASE: "REDACTED_SECRET_KEY_BASE"_GITEA_TOKEN"
OPENPROJECT_EE__MANAGER__VISIBLE: "false"
DATABASE_URL: "postgresql://openproject:REDACTED_PASSWORD@db:5432/openproject"
volumes:
- /home/homelab/docker/openproject/assets:/var/openproject/assets

15
hosts/vms/homelab-vm/paperminecraft.yaml Normal file
View File

@@ -0,0 +1,15 @@
# Paper Minecraft - Game server
# Port: 25565
# Paper Minecraft server
version: "3.8"
services:
# bind mount example
linuxgsm-pmc-bind:
image: gameservermanagers/gameserver:pmc
# image: ghcr.io/gameservermanagers/gameserver:pmc
container_name: pmcserver
restart: unless-stopped
volumes:
- /home/homelab/docker/pmc:/data
network_mode: host

21
hosts/vms/homelab-vm/perplexica.yaml Normal file
View File

@@ -0,0 +1,21 @@
# Perplexica - AI-powered search engine
# Port: 4785
# Configure LLM providers via web UI at http://192.168.0.210:4785/settings
#
# Configured to use Seattle Ollama instance (100.82.197.124:11434) via Tailscale
# This distributes LLM inference load to the Contabo VPS with CPU-only inference
services:
perplexica:
image: itzcrazykns1337/perplexica:latest
container_name: perplexica
ports:
- "4785:3000"
environment:
- OLLAMA_BASE_URL=http://100.82.197.124:11434
volumes:
- perplexica-data:/home/perplexica/data
restart: unless-stopped
volumes:
perplexica-data:

16
hosts/vms/homelab-vm/podgrab.yml Normal file
View File

@@ -0,0 +1,16 @@
# Podgrab - Podcast manager
# Port: 8080
# Podcast download and management
version: '3.3'
services:
podgrab:
container_name: podgrab
image: akhilrex/podgrab
ports:
- "8389:8080"
volumes:
- /mnt/atlantis_docker/podgrab/podcasts:/assets
- /mnt/atlantis_docker/podgrab/config:/config
restart: unless-stopped

22
hosts/vms/homelab-vm/portainer_agent.yaml Normal file
View File

@@ -0,0 +1,22 @@
# Portainer Edge Agent - homelab-vm
# Connects to Portainer server on Atlantis (100.83.230.112:8000)
# Deploy: docker compose -f portainer_agent.yaml up -d
services:
portainer_edge_agent:
image: portainer/agent:2.33.7
container_name: portainer_edge_agent
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/lib/docker/volumes:/var/lib/docker/volumes
- /:/host
- portainer_agent_data:/data
environment:
EDGE: "1"
EDGE_ID: "18271a7b-03ea-4945-946c-4a845e1bb3ff"
EDGE_KEY: "aHR0cDovLzEwMC44My4yMzAuMTEyOjEwMDAwfGh0dHA6Ly8xMDAuODMuMjMwLjExMjo4MDAwfGtDWjVkTjJyNXNnQTJvMEF6UDN4R3h6enBpclFqa05Wa0FCQkU0R1IxWFU9fDQ0MzM5OQ"
EDGE_INSECURE_POLL: "1"
volumes:
portainer_agent_data:

53
hosts/vms/homelab-vm/proxitok.yaml Normal file
View File

@@ -0,0 +1,53 @@
# ProxiTok - Privacy-respecting TikTok frontend
# Port: 9770
# Alternative TikTok frontend - no ads, no tracking, server-side requests
services:
proxitok:
container_name: proxitok-web
image: ghcr.io/pablouser1/proxitok:master
ports:
- 9770:8080
environment:
- LATTE_CACHE=/cache
- API_CACHE=redis
- REDIS_HOST=proxitok-redis
- REDIS_PORT=6379
- API_CHROMEDRIVER=http://proxitok-chromedriver:4444
volumes:
- proxitok-cache:/cache
depends_on:
- redis
- chromedriver
networks:
- proxitok
restart: unless-stopped
redis:
container_name: proxitok-redis
image: redis:7-alpine
volumes:
- proxitok-redis:/data
networks:
- proxitok
init: true
restart: unless-stopped
chromedriver:
container_name: proxitok-chromedriver
image: robcherry/docker-chromedriver:latest
shm_size: 2g
environment:
- CHROMEDRIVER_WHITELISTED_IPS=
privileged: true
networks:
- proxitok
restart: unless-stopped
volumes:
proxitok-cache:
proxitok-redis:
networks:
proxitok:
driver: bridge

21
hosts/vms/homelab-vm/redlib.yaml Normal file
View File

@@ -0,0 +1,21 @@
# Redlib - Reddit frontend (maintained fork of Libreddit)
# Port: 9000
# Privacy-respecting Reddit frontend
services:
redlib:
image: quay.io/redlib/redlib:latest
container_name: Redlib
hostname: redlib
mem_limit: 2g
cpu_shares: 768
security_opt:
- no-new-privileges:true
read_only: true
healthcheck:
test: ["CMD", "wget", "--spider", "-q", "--tries=1", "http://localhost:8080/settings"]
interval: 30s
timeout: 5s
ports:
- 9000:8080
restart: on-failure:5

47
hosts/vms/homelab-vm/romm/config.yml Normal file
View File

@@ -0,0 +1,47 @@
# mariushosting example of a RomM configuration file
# Only uncomment the lines you want to use/modify, or add new ones where needed
exclude:
# Exclude platforms to be scanned
platforms: [] # ['my_excluded_platform_1', 'my_excluded_platform_2']
# Exclude roms or parts of roms to be scanned
roms:
# Single file games section.
# Will not apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
single_file:
# Exclude all files with certain extensions to be scanned
extensions: [] # ['xml', 'txt']
# Exclude matched file names to be scanned.
# Supports unix filename pattern matching
# Can also exclude files by extension
names: [] # ['info.txt', '._*', '*.nfo']
# Multi files games section
# Will apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
multi_file:
# Exclude matched 'folder' names to be scanned (RomM identifies folders as multi file games)
names: [] # ['my_multi_file_game', 'DLC']
# Exclude files within sub-folders.
parts:
# Exclude matched file names to be scanned from multi file roms
# Keep in mind that RomM doesn't scan folders inside multi files games,
# so there is no need to exclude folders from inside of multi files games.
names: [] # ['data.xml', '._*'] # Supports unix filename pattern matching
# Exclude all files with certain extensions to be scanned from multi file roms
extensions: [] # ['xml', 'txt']
system:
# Asociate different platform names to your current file system platform names
# [your custom platform folder name]: [RomM platform name]
# In this example if you have a 'gc' folder, RomM will treat it like the 'ngc' folder and if you have a 'psx' folder, RomM will treat it like the 'ps' folder
platforms: {} # { gc: 'ngc', psx: 'ps' }
# Asociate one platform to it's main version
versions: {} # { naomi: 'arcade' }
# The folder name where your roms are located
filesystem: {} # { roms_folder: 'roms' } For example if your folder structure is /home/user/library/roms_folder

55
hosts/vms/homelab-vm/romm/romm.yaml Normal file
View File

@@ -0,0 +1,55 @@
version: "3.9"
services:
db:
image: mariadb:11.4-noble # LTS Long Time Support until May 29, 2029
container_name: RomM-DB
security_opt:
- no-new-privileges:false
environment:
MYSQL_DATABASE: romm
MYSQL_USER: rommuser
MYSQL_PASSWORD: "REDACTED_PASSWORD"
MYSQL_ROOT_PASSWORD: "REDACTED_PASSWORD"
TZ: America/Los_Angeles
volumes:
- /mnt/atlantis_docker/romm/db:/var/lib/mysql:rw
restart: on-failure:5
romm:
image: rommapp/romm:latest
container_name: RomM
depends_on:
- db
ports:
- "7676:8080"
environment:
ROMM_DB_DRIVER: mariadb
DB_HOST: db
DB_NAME: romm
DB_USER: rommuser
DB_PASSWD: "REDACTED_PASSWORD"
DB_PORT: 3306
ROMM_AUTH_SECRET_KEY: e9c36749cf1cb5f8df757bc0REDACTED_GITEA_TOKEN
# Metadata providers (optional):
# SCREENSCRAPER_USER:
# SCREENSCRAPER_PASSWORD:
# IGDB_CLIENT_ID:
# IGDB_CLIENT_SECRET:
# MOBYGAMES_API_KEY:
# STEAMGRIDDB_API_KEY:
# RETROACHIEVEMENTS_API_KEY:
# HASHEOUS_API_ENABLED: true
volumes:
- /mnt/atlantis_docker/romm/resources:/romm/resources:rw
- /mnt/atlantis_docker/romm/redis:/redis-data:rw
- /mnt/atlantis_docker/romm/games/library:/romm/library:rw
- /mnt/atlantis_docker/romm/games/assets:/romm/assets:rw
- /mnt/atlantis_docker/romm/games/config:/romm/config:rw
healthcheck:
test: ["CMD", "curl", "-f", "http://127.0.0.1:8080/"]
interval: 10s
timeout: 5s
retries: 3
start_period: 90s
restart: on-failure:10

24
hosts/vms/homelab-vm/roundcube.yaml Normal file
View File

@@ -0,0 +1,24 @@
# Roundcube - Webmail
# Port: 8080
# Web-based email client
version: "3.9"
services:
roundcube:
image: roundcube/roundcubemail:latest
container_name: roundcube
environment:
ROUNDCUBEMAIL_DEFAULT_HOST: ssl://imap.gmail.com
ROUNDCUBEMAIL_DEFAULT_PORT: 993
ROUNDCUBEMAIL_SMTP_SERVER: tls://smtp.gmail.com
ROUNDCUBEMAIL_SMTP_PORT: 587
ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE: 25M
ROUNDCUBEMAIL_SKIN: elastic
volumes:
- /mnt/atlantis_docker/roundcube/data:/var/roundcube
- /mnt/atlantis_docker/roundcube/config:/var/roundcube/config
- /mnt/atlantis_docker/roundcube/logs:/var/roundcube/logs
ports:
- "7512:80" # or 7512:80 if you prefer
restart: unless-stopped

37
hosts/vms/homelab-vm/roundcube_protonmail.yaml Normal file
View File

@@ -0,0 +1,37 @@
# Roundcube ProtonMail Bridge
# Port: 8080
# Webmail with ProtonMail support
version: "3.9"
services:
roundcube-protonmail:
image: roundcube/roundcubemail:latest
container_name: roundcube-protonmail
environment:
# ProtonMail Bridge IMAP + SMTP (plain inside the Docker network)
ROUNDCUBEMAIL_DEFAULT_HOST: protonmail-bridge
ROUNDCUBEMAIL_DEFAULT_PORT: 143
ROUNDCUBEMAIL_SMTP_SERVER: protonmail-bridge
ROUNDCUBEMAIL_SMTP_PORT: 25
ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE: 25M
ROUNDCUBEMAIL_SKIN: elastic
volumes:
- /mnt/atlantis_docker/roundcube_protonmail/data:/var/roundcube
- /mnt/atlantis_docker/roundcube_protonmail/config:/var/roundcube/config
- /mnt/atlantis_docker/roundcube_protonmail/logs:/var/roundcube/logs
ports:
- "7513:80" # exposed via your tailnet (change if needed)
restart: unless-stopped
depends_on:
- protonmail-bridge
protonmail-bridge:
image: shenxn/protonmail-bridge:latest
container_name: protonmail-bridge
environment:
- TZ=America/Los_Angeles
command: ["protonmail-bridge", "--no-keychain", "--cli"]
volumes:
- /mnt/atlantis_docker/roundcube_protonmail/bridge:/root/.config/protonmail/bridge
restart: unless-stopped

33
hosts/vms/homelab-vm/satisfactory.yaml Normal file
View File

@@ -0,0 +1,33 @@
# Satisfactory - Game server
# Port: 7777
# Satisfactory dedicated game server
services:
satisfactory-server:
container_name: 'satisfactory-server'
hostname: 'satisfactory-server'
image: 'wolveix/satisfactory-server:latest'
ports:
- '7777:7777/udp'
- '7777:7777/tcp'
volumes:
- /home/homelab/docker/sf:/data
environment:
- MAXPLAYERS=4
- PGID=1000
- PUID=1000
- ROOTLESS=false
- STEAMBETA=false
restart: unless-stopped
healthcheck:
test: bash /healthcheck.sh
interval: 30s
timeout: 10s
retries: 3
start_period: 120s
deploy:
resources:
limits:
memory: 6G
reservations:
memory: 4G

55
hosts/vms/homelab-vm/scrutiny.yaml Normal file
View File

@@ -0,0 +1,55 @@
# Scrutiny — SMART Disk Health Monitoring Hub
#
# Runs on homelab-vm (Tailscale 100.67.40.126)
# Web UI: http://100.67.40.126:8090 (also: scrutiny.vish.gg via NPM)
# InfluxDB: internal to this stack
#
# Collectors ship metrics from physical hosts to this hub.
# Collector composes at:
# hosts/synology/atlantis/scrutiny-collector.yaml
# hosts/synology/calypso/scrutiny-collector.yaml
# hosts/synology/setillo/scrutiny-collector.yaml
# hosts/physical/concord-nuc/scrutiny-collector.yaml
# hosts/edge/rpi5-vish/scrutiny-collector.yaml
#
# Deploy: Portainer GitOps on endpoint 443399 (homelab-vm)
services:
scrutiny-web:
image: ghcr.io/analogj/scrutiny:master-web
container_name: scrutiny-web
ports:
- "8090:8080"
volumes:
- scrutiny-config:/opt/scrutiny/config
- scrutiny-influx:/opt/scrutiny/influxdb
environment:
GIN_MODE: release
SCRUTINY_WEB_INFLUXDB_HOST: scrutiny-influxdb
restart: unless-stopped
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/api/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 60s
depends_on:
scrutiny-influxdb:
condition: service_healthy
scrutiny-influxdb:
image: influxdb:2.2
container_name: scrutiny-influxdb
volumes:
- scrutiny-influx:/var/lib/influxdb2
restart: unless-stopped
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8086/ping"]
interval: 10s
timeout: 5s
retries: 5
start_period: 20s
volumes:
scrutiny-config:
scrutiny-influx:

68
hosts/vms/homelab-vm/shlink.yml Normal file
View File

@@ -0,0 +1,68 @@
# Shlink - URL shortener
# Port: 8080
# Self-hosted URL shortener
version: "3.9"
services:
shlink-db:
image: postgres
container_name: Shlink-DB
hostname: shlink-db
security_opt:
- no-new-privileges:true
healthcheck:
test: ["CMD", "pg_isready", "-q", "-d", "shlink", "-U", "shlinkuser"]
interval: 10s
timeout: 5s
retries: 5
user: 1000:1000
volumes:
- /home/homelab/docker/shlinkdb:/var/lib/postgresql/data
environment:
POSTGRES_DB: shlink
POSTGRES_USER: shlinkuser
POSTGRES_PASSWORD: "REDACTED_PASSWORD"
restart: unless-stopped
shlink:
image: shlinkio/shlink:stable
container_name: Shlink
hostname: shlink
security_opt:
- no-new-privileges:true
ports:
- 8335:8080
environment:
- TIMEZONE=America/Los_Angeles
- INITIAL_API_KEY="REDACTED_API_KEY"
- DB_DRIVER=postgres
- DB_NAME=shlink
- DB_USER=shlinkuser
- DB_PASSWORD="REDACTED_PASSWORD"
- DB_HOST=shlink-db
- DB_PORT=5432
- DEFAULT_DOMAIN=url.thevish.io
- IS_HTTPS_ENABLED=true
- GEOLITE_LICENSE_KEY="REDACTED_GEOLITE_KEY"
restart: unless-stopped
depends_on:
shlink-db:
condition: service_started
shlink-web:
image: shlinkio/shlink-web-client:stable
container_name: Shlink-WEB
hostname: shlink-web
security_opt:
- no-new-privileges:true
healthcheck:
test: wget --no-verbose --tries=1 --spider http://localhost:80/ || exit 1
ports:
- 8336:80
environment:
- SHLINK_SERVER_NAME=thevish
- SHLINK_SERVER_URL=https://url.thevish.io
- SHLINK_SERVER_API_KEY="REDACTED_API_KEY"
restart: unless-stopped
depends_on:
- shlink

15
hosts/vms/homelab-vm/signal_api.yaml Normal file
View File

@@ -0,0 +1,15 @@
# Signal API - Signal messenger REST API
# Port: 8080
# REST API for Signal messenger automation
version: "3"
services:
signal-cli-rest-api:
container_name: signal-api
restart: unless-stopped
ports:
- 8080:8080
volumes:
- /home/homelab/docker/signal:/home/.local/share/signal-cli
environment:
- MODE=native
image: bbernhard/signal-cli-rest-api

23
hosts/vms/homelab-vm/syncthing.yml Normal file
View File

@@ -0,0 +1,23 @@
# Syncthing - File synchronization
# Port: 8384 (web), 22000 (sync)
# Continuous file synchronization between devices
version: "2.1"
services:
syncthing:
image: lscr.io/linuxserver/syncthing:latest
container_name: syncthing
hostname: syncthing #optional
environment:
- PUID=1000
- PGID=1000
- TZ=America/Los_Angeles
volumes:
- /root/docker/syncthing/config:/config
- /root/docker/syncthing/data1
- /root/docker/syncthing/data2
ports:
- 8384:8384
- 22000:22000/tcp
- 22000:22000/udp
- 21027:21027/udp
restart: unless-stopped

18
hosts/vms/homelab-vm/watchyourlan.yaml Normal file
View File

@@ -0,0 +1,18 @@
# WatchYourLAN - Network scanner
# Port: 8840
# Lightweight network IP scanner with web UI
services:
watchyourlan:
container_name: WatchYourLAN
environment:
- TZ=America/Los_Angeles
- HOST=192.168.0.210
- PORT=8840
- IFACES=ens18
- THEME=grass
- COLOR=dark
volumes:
- /home/homelab/docker/wyl:/data/WatchYourLAN
network_mode: host
restart: unless-stopped
image: aceberg/watchyourlan:v2

15
hosts/vms/homelab-vm/webcheck.yaml Normal file
View File

@@ -0,0 +1,15 @@
# Web Check - Website analysis
# Port: 3000
# All-in-one website OSINT analysis tool
version: "3.9"
services:
webcheck:
container_name: Web-Check
image: lissy93/web-check
mem_limit: 4g
cpu_shares: 768
security_opt:
- no-new-privileges:true
restart: on-failure:5
ports:
- 6160:3000

23
hosts/vms/homelab-vm/webcord.yml Normal file
View File

@@ -0,0 +1,23 @@
# WebCord - Discord client
# Port: 3000
# Web-based Discord client
---
version: "2.1"
services:
webcord:
image: lscr.io/linuxserver/webcord:latest
container_name: webcord
security_opt:
- seccomp:unconfined #optional
environment:
- PUID=1000
- PGID=1000
- TZ=America/Los_Angeles
volumes:
- /home/homelab/docker/webcord:/config
ports:
- 3000:3000
- 3001:3001
shm_size: "1gb"
restart: unless-stopped