add basic container, configure git repo structure, add sops addon

2026-02-10 18:34:25 +03:00
parent 3e5be7b7a4
commit d457efd566
14 changed files with 132 additions and 1 deletions
--- a/hosts/home-morefine/docker/caddy/Caddyfile
+++ b/hosts/home-morefine/docker/caddy/Caddyfile
@@ -0,0 +1,147 @@
+{
+    admin :2019
+    # email me@example.com
+}
+
+# A
+ai.catmedved.com {
+    reverse_proxy http://librechat:3080
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+auth.catmedved.com {
+    reverse_proxy http://authentik_server:9000
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+# B
+beszel.catmedved.com {
+    reverse_proxy http://beszel:8090
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+# C
+caddy-minipc.catmedved.com {
+    reverse_proxy http://caddyui:8000
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+# D
+databasus.catmedved.com {
+    reverse_proxy http://databasus:4005
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+drone.catmedved.com {
+    reverse_proxy http://drone:80
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+# F
+files-minipc.catmedved.com {
+    reverse_proxy /outpost.goauthentik.io* https://auth.catmedved.com {
+        header_up Host {host}
+    }
+    reverse_proxy http://filebrowser:80
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+films.catmedved.com {
+    reverse_proxy http://jellyfin:8096
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+# G
+gameyfin.catmedved.com {
+    reverse_proxy http://gameyfin:8080
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+gitea.catmedved.com {
+    reverse_proxy http://gitea.catmedved.com:80
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+glances-minipc.catmedved.com {
+    reverse_proxy http://glances:61208
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+# H
+home.catmedved.com {
+    reverse_proxy http://homepage:3000
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+# M
+myspeed-minipc.catmedved.com {
+    reverse_proxy http://myspeed:5216
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+music.catmedved.com {
+    reverse_proxy http://navidrome:4533
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+# N
+nocodb.catmedved.com {
+    reverse_proxy http://nocodb:8080
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+# P
+passwords.catmedved.com {
+    reverse_proxy http://vaultwarden:80
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+pihole.catmedved.com {
+    reverse_proxy http://pihole:80
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+photo.catmedved.com {
+    reverse_proxy http://immich_server:2283
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+# S
+speedtest-minipc.catmedved.com {
+    reverse_proxy http://speedtest-tracker:80
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+sync-minipc.catmedved.com {
+    reverse_proxy http://172.24.0.1:8384 {
+        header_up Host {upstream_hostport}
+    }
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+# T
+transmission.catmedved.com {
+    reverse_proxy transmission:9091
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+# W
+weatherapp.catmedved.com {
+    reverse_proxy http://weatherapp:8080
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+wekan.catmedved.com {
+    reverse_proxy http://wekan:8080
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+wikijs.catmedved.com {
+    reverse_proxy http://wikijs:3000
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
+whatsupdocker-minipc.catmedved.com {
+    reverse_proxy http://whatsupdocker:3000
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
--- a/hosts/home-morefine/docker/caddy/docker-compose.yml
+++ b/hosts/home-morefine/docker/caddy/docker-compose.yml
@@ -0,0 +1,25 @@
+services:
+  caddy:
+    image: caddy:latest
+    container_name: caddy
+    restart: unless-stopped
+    networks:
+      - caddy_internal
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile
+      - /home/vk/certs/catmedved.com:/etc/caddy/certs:ro
+      - caddy_data:/data
+      - caddy_config:/config
+    environment:
+      - TZ=Europe/Minsk
+
+networks:
+  caddy_internal:
+    external: true
+
+volumes:
+  caddy_data:
+  caddy_config:
--- a/hosts/home-morefine/docker/jellyfin/docker-compose.yaml
+++ b/hosts/home-morefine/docker/jellyfin/docker-compose.yaml
@@ -0,0 +1,35 @@
+services:
+  jellyfin:
+    image: jellyfin/jellyfin:latest
+    container_name: jellyfin
+    hostname: Films
+    networks:
+      - caddy_internal
+    dns:
+      - 192.168.1.131 # pi-hole
+    volumes:
+      - ~/docker/jellyfin/config:/config
+      - ~/docker/jellyfin/cache:/cache
+      - /media/vk/L200/Media:/media
+      - /mnt/wd:/media_wd
+    #  - /path/to/media2:/media2:ro
+    devices:
+      - /dev/dri:/dev/dri
+    restart: 'unless-stopped'
+
+    #ports:
+    #  - 8096:8096
+    #  - 7359:7359/udp
+
+
+    # Optional - alternative address used for autodiscovery
+    #environment:
+    #  - JELLYFIN_PublishedServerUrl=http://media.local
+    # Optional - may be necessary for docker healthcheck to pass if running in host network mode
+    #extra_hosts:
+    #  - "host.docker.internal:host-gateway"
+
+networks:
+  caddy_internal:
+    name: caddy_internal
+    external: true
--- a/hosts/home-morefine/initial-setup/info.md
+++ b/hosts/home-morefine/initial-setup/info.md
@@ -0,0 +1,8 @@
+# Main server paths
+
+```sh
+/srv/backups/<service>   # backups
+/srv/gitops              # git repo
+/srv/rundata/<service>   # persistent service data (volumes)
+/run/secrets/<service>   # runtime secrets (tmpfs) - docker style file-based secrets
+```
--- a/hosts/home-morefine/initial-setup/sops.sh
+++ b/hosts/home-morefine/initial-setup/sops.sh
@@ -0,0 +1,17 @@
+# age
+sudo apt install -y age
+
+sudo mkdir -p /root/.config/sops/age
+sudo age-keygen -o /root/.config/sops/age/keys.txt
+sudo chmod 600 /root/.config/sops/age/keys.txt
+
+# sops
+curl -LO https://github.com/getsops/sops/releases/download/v3.11.0/sops-v3.11.0.linux.amd64
+sudo install -m 0755 sops-v3.11.0.linux.amd64 /usr/local/bin/sops
+rm sops-v3.11.0.linux.amd64
+
+# yq for yaml
+sudo wget -qO /usr/local/bin/yq \
+  https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
+
+sudo chmod +x /usr/local/bin/yq
--- a/hosts/home-morefine/inventory.md
+++ b/hosts/home-morefine/inventory.md
--- a/hosts/home-morefine/systemd/docker.service.d/10-sops-decrypt.conf
+++ b/hosts/home-morefine/systemd/docker.service.d/10-sops-decrypt.conf
@@ -0,0 +1,3 @@
+[Unit]
+Requires=sops-decrypt.service
+After=sops-decrypt.service
--- a/hosts/home-morefine/systemd/sops/sops-decrypt.service
+++ b/hosts/home-morefine/systemd/sops/sops-decrypt.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=Decrypt SOPS secrets before Docker starts
+DefaultDependencies=no
+Before=docker.service
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+WorkingDirectory=/srv/gitops
+Environment=SOPS_AGE_KEY_FILE=/root/.config/sops/age/keys.txt
+
+# твой скрипт расшифровки (держи в репо или в /usr/local/bin)
+ExecStart=/srv/gitops/homelab-infra/lab-home/sops-decrypt.sh
+
+TimeoutStartSec=300
+
+[Install]
+WantedBy=multi-user.target
--- a/hosts/home-morefine/systemd/sops/sops-install-oneoff.sh
+++ b/hosts/home-morefine/systemd/sops/sops-install-oneoff.sh
@@ -0,0 +1,8 @@
+sudo install -D -m 0644 systemd/sops-decrypt.service /etc/systemd/system/sops-decrypt.service
+sudo install -D -m 0644 systemd/docker.service.d/10-sops-decrypt.conf /etc/systemd/system/docker.service.d/10-sops-decrypt.conf
+
+# сам скрипт
+sudo install -D -m 0755 systemd/sops-decrypt-all /usr/local/bin/sops-decrypt-all
+
+sudo systemctl daemon-reload
+sudo systemctl enable sops-decrypt.service
--- a/hosts/home-morefine/users/group_photo.sh
+++ b/hosts/home-morefine/users/group_photo.sh
@@ -0,0 +1,8 @@
+sudo groupadd photos
+
+sudo usermod -aG photos vk
+sudo usermod -aG photos apps
+sudo usermod -aG photos syncthing_user
+
+sudo chown -R vk:photos /srv/photo
+sudo chmod -R 2775 /srv/photo
--- a/hosts/home-morefine/users/user_apps.sh
+++ b/hosts/home-morefine/users/user_apps.sh
@@ -0,0 +1,18 @@
+sudo groupadd --system --gid 995 apps
+
+sudo useradd --uid 995 --gid 995 \
+  --system \
+  --create-home \
+  --home-dir /home/apps \
+  --gid apps \
+  --shell /usr/sbin/nologin \
+  --comment "Service account for applications" \
+  apps
+
+sudo chmod 0750 /home/apps
+
+sudo usermod -aG apps vk
+sudo usermod -aG photos apps
+
+id apps
+# uid=995(apps) gid=995(apps) groups=995(apps)
--- a/hosts/home-morefine/users/user_syncthing_user.sh
+++ b/hosts/home-morefine/users/user_syncthing_user.sh
@@ -0,0 +1 @@
+syncthing_user
--- a/hosts/home-morefine/users/user_vk.sh
+++ b/hosts/home-morefine/users/user_vk.sh
@@ -0,0 +1,2 @@
+# vk - human system admin
+