immich: try add dns to reach pc for ML tasks

.sops.yaml

@@ -7,3 +7,7 @@
     age:
       - age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk  # me
       - age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73  # server
+  - path_regex: '(^|[\\/]).*\.sops\.conf$'
+    age:
+      - age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk  # me
+      - age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73  # server

hosts/home-morefine/docker/beszel/docker-compose.yaml

@@ -0,0 +1,49 @@
+services:
+  beszel:
+    image: henrygd/beszel
+    container_name: beszel
+    restart: unless-stopped
+    ports:
+      - "10.8.0.3:8090:8090"
+      - "127.0.0.1:8090:8090"
+    dns:
+      - 192.168.1.131 # pi-hole
+    networks:
+      - caddy_internal
+    volumes:
+      - /srv/rundata/beszel/beszel_data:/beszel_data
+      - /srv/rundata/beszel/beszel_socket:/beszel_socket
+
+  beszel-agent:
+    image: henrygd/beszel-agent-intel
+    container_name: beszel-agent
+    restart: unless-stopped
+    network_mode: host
+    devices:
+      - /dev/sda:/dev/sda
+      #      - /dev/sdb:/dev/sdb #usb adapter - doesn't work
+      #      - /dev/sdc:/dev/sdc #usb adapter - doуsn't work
+      - /dev/nvme0:/dev/nvme0
+      - /dev/dri/card0:/dev/dri/card0 # `ls /dev/dri` to find GPU name
+    cap_add:
+      - SYS_RAWIO # required for S.M.A.R.T. data
+      - SYS_ADMIN # required for NVMe S.M.A.R.T. data
+      - CAP_PERFMON # monitor intel gpu
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /srv/rundata/beszel/beszel_agent_data:/var/lib/beszel-agent
+      - /srv/rundata/beszel/beszel_socket:/beszel_socket
+      - /mnt/wd:/extra-filesystems/sdb1__wd:ro
+      - /media/vk/L200:/extra-filesystems/sdc1__l200:ro
+      - /run/secrets/beszel:/run/secrets/beszel:ro
+      # monitor other disks / partitions by mounting a folder in /extra-filesystems
+      # - /mnt/disk/.beszel:/extra-filesystems/sda1:ro
+    environment:
+      LISTEN: /beszel_socket/beszel.sock
+      HUB_URL: http://localhost:8090
+      KEY_FILE: /run/secrets/beszel/AGENT_KEY
+      TOKEN_FILE: /run/secrets/beszel/AGENT_TOKEN
+
+networks:
+  caddy_internal:
+    external: true

hosts/home-morefine/docker/beszel/secrets.sops.yaml

@@ -0,0 +1,26 @@
+AGENT_KEY: ENC[AES256_GCM,data:bkBSQmQ+atPeM6NR6xuCI1Pj18515W+N6aVGV1qj8FkqQdW9NDIuUFQo9avmOvuVBgEwEGjmYopg5HjeOKiNTY8vmTY2uX4ep2NPn+wXLjQ=,iv:Addanwsq3oWc577n4rI4aQrAKHhHwgU54qDRDQrNoY8=,tag:7kc4ekRW3NjGHgV0h0pRlA==,type:str]
+AGENT_TOKEN: ENC[AES256_GCM,data:BThMKkVfuQPVrcWZyeCyX2zKB4zptIeRBy4aK3kpy4jYEJrR,iv:mf6QmzliYPmqSSm04POeAZ0vKKwUrg/BN/9T6trr2ec=,tag:HueCX4ET1qT+GCPltOiCAA==,type:str]
+sops:
+    age:
+        - recipient: age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5YkhQajBITGFwa1AwNkpP
+            MHhwSWU3enNnTjhVMWtuNUR1cDFPSlVKRENvCmQxYnlpMHdYK0g1azNPdmVoQVBJ
+            ZGUyTXg4ZTJHTkRVV0ZqQVVJeGY4Y2cKLS0tIDZkS1hBM1FBbms3N3FUcHN2aXFM
+            SlNVeTR2MTdZUFNmdnhjMHhWaGUzbjAKjtHro6hKfxOtJrFvjTJOoT6Ao2vjvq3f
+            bupg08TbEdJogHQGi6wCwscCQiZm0UVLZoB5iVjLf5ybVP27CLEQMQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFaE5VV25xL0h1ZmVlQzQy
+            b0VkK0t2UmNYQjROcFJHaE5Xb2lHTmtzY1RrCnZhRVNnRThWTzRpUEFRdXgvSisr
+            TElKUTVQYndYTFkyOWFFbkRtUWlWdTQKLS0tIGJwVng5VWE3c2J6YVk5UVlNUnpj
+            ckRzeFdwblpGN1ViQVNyaXNpWE9ucDQK0s8x0C8C+Z+HnOUx05HyyPU2B1EM5g0o
+            RAPVXu3jh9wy8zFQYILDuvTg5kbWiH73r09hy26UN1aAXxeWf20ufQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-13T11:29:44Z"
+    mac: ENC[AES256_GCM,data:36trL0c3r10+PZdbiKm3NgN0BkJwbWGeOesSJlh/SvUTeO9TD09pdd4J/6J/NGTq8GXhGviCUnE0hT76GepgGh9GNvpQQHyRBPlygYjMeoj3mX07yY48SbQTxvpiSgBkhswlvQ4PbpMFOwyALv84ie7Dusfnp+S65RNFLPl4sVU=,iv:IE26s69HxkDOn3LfuXIEUBVpyoZeh5eq4LD8ZRnXqCs=,tag:DDB6MkHpRYbSFLO0ameLVw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/home-morefine/docker/caddy/Caddyfile

@@ -38,10 +38,7 @@ drone.catmedved.com {
 }
 
 # F
-files-minipc.catmedved.com {
+filebrowser.catmedved.com {
-    reverse_proxy /outpost.goauthentik.io* https://auth.catmedved.com {
-        header_up Host {host}
-    }
     reverse_proxy http://filebrowser:80
     tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
 }
@@ -106,6 +103,12 @@ photo.catmedved.com {
     tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
 }
 
+# R
+recepies.catmedved.com {
+    reverse_proxy http://mealie:9000
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
 # S
 speedtest-minipc.catmedved.com {
     reverse_proxy http://speedtest-tracker:80

hosts/home-morefine/docker/databasus/docker-compose.yaml

@@ -0,0 +1,23 @@
+services:
+  databasus:
+    container_name: databasus
+    restart: unless-stopped
+    image: databasus/databasus:latest
+    #    ports:
+    #      - "4005:4005"
+    volumes:
+      - /srv/rundata/databasus/databasus-data:/databasus-data
+    networks:
+      - caddy_internal
+      - immich_internal
+      - gitea_db_net
+    dns:
+      - 192.168.1.131 # pi-hole
+
+networks:
+  caddy_internal:
+    external: true
+  immich_internal:
+    external: true
+  gitea_db_net:
+    external: true

hosts/home-morefine/docker/filebrowser/docker-compose.yaml

@@ -0,0 +1,20 @@
+services:
+  filebrowser:
+    container_name: filebrowser
+    image: filebrowser/filebrowser
+    networks:
+      - caddy_internal
+    dns:
+      - 192.168.1.131 # pi-hole
+    volumes:
+      - '/home/vk:/srv'
+      - '/srv/rundata/filebrowser/database/filebrowser.db:/database/database.db'
+      - '/srv/rundata/filebrowser/config:/config'
+    #    - '/path/.filebrowser.json:/.filebrowser.json'
+    #user: $(id -u vk):$(id -g vk)
+    # ports:
+    #     - '8077:80'
+
+networks:
+  caddy_internal:
+    external: true

hosts/home-morefine/docker/gameyfin/docker-compose.yaml

@@ -0,0 +1,37 @@
+services:
+  gameyfin:
+    image: ghcr.io/gameyfin/gameyfin:2
+    container_name: gameyfin
+    restart: unless-stopped
+    networks:
+      - caddy_internal
+    dns:
+      - 192.168.1.131 # pi-hole
+    env_file:
+      - /run/secrets/gameyfin/secrets.env
+    environment:
+      # Generate a new APP_KEY using the command "openssl rand -base64 32" or similar.
+      #APP_KEY: secrets.sops.env
+
+      # (optional) Set the URL of your Gameyfin instance if you are using a reverse proxy.
+      # Currently, this is only used for generating links in notification emails and the log line at first run.
+      APP_URL: https://gameyfin.catmedved.com
+
+      # (optional) Set the user and group ID to run Gameyfin with a specific user.
+      PUID: 1000 # Change this to your user ID if needed
+      PGID: 1000 # Change this to your group ID if needed
+    volumes:
+      - "/srv/rundata/gameyfin/container_data/db:/opt/gameyfin/db"
+      - "/srv/rundata/gameyfin/container_data/data:/opt/gameyfin/data"
+      - "/srv/rundata/gameyfin/container_data/plugindata:/opt/gameyfin/plugindata"
+      - "/srv/rundata/gameyfin/container_data/logs:/opt/gameyfin/logs"
+      - "/mnt/wd/Games:/opt/gameyfin-library/Games"
+    ports:
+      - "10.8.0.3:8080:8080"
+      # If you plan to use the included torrent plugin, uncomment the following lines:
+      # - "6969:6969"
+
+networks:
+  caddy_internal:
+    name: caddy_internal
+    external: true

hosts/home-morefine/docker/gameyfin/secrets.sops.env

@@ -0,0 +1,9 @@
+APP_KEY=ENC[AES256_GCM,data:wDd12E91WMFdRMrZtDcas/z+u2qbst+hU+fRQg/h4s6CA/oCV+5M96b/eyY=,iv:g6hWc9gJIQWhNCRhmKHclBlsafOOkKjxUbQjC/Luy2g=,tag:f21dWkg1aqiKcBbeCi0kLg==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTm9WVFhyeTQxRG9VZ1pQ\nb290ODZ4ZWxrUmFJY3JRZjFmQkMrOXcvUVNvClZxV2tjZEZjTktrSkFQNUpSZXpP\nQkhEMkxuWEpYT0xvdk5YbThVNGpNSjQKLS0tIHVMTXdFM0c2UlFaOHZSaDVWb1la\ndzIveWloUHJSKzhRY0lKUTFIYWpCVDQK4TkQ7P6Qe3zQfs2Y/HEYv1TMgufocIrK\nW85qPwEj8MXabxLHh9AHLbklxdFRJRRYb2TtLJGoLwfIWX3Y6tUmrQ==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dFJiUXBrOEpGSG0xdVh1\ncnBKM3cyN3ZoZWFSMmYrRUVBZGJvT0dTTzBnCjdBdGxqREEvQ0xyUjZHVXRteXQz\ndnhOV1YyM1BnNSszekljZWFMZjZ0dDgKLS0tIFc2L0dqTjNIcjFjbHJvd3daMzJ5\nL3dXWVMwSk9FUGcreFBoeXZ0UFpRdjQKi1PWuQ0v6w8ujggIm1Tn++YqIbDOdrLq\n5mrJ//qJIubV4ICANSWOw98EHbjdZrfMhCSj2HUMvL2r8VwL993o9Q==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
+sops_lastmodified=2026-02-13T10:52:22Z
+sops_mac=ENC[AES256_GCM,data:+0bw+vKjn5yu8fSUIm+skFg2l0hHD0TQ518AyFmzZag4bdrqOfJFYnYuW0OWbhAgPcEfIulyIdGb6wc4J3AJDYTdWbNLiXdJMdE20JoIKe8vsqutx2VZI4gwXT6xfnbKoznBo0EqkoKPvrdE4FsaAk/NRQ8ib4Nxpd7XFBWVu7o=,iv:9Tsr8cE5xqH6aPSL1wnPSwiK2WkG5kSHV9sPaynVntQ=,tag:pF9vzIOh8ZWBBjZXpBvG9g==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.11.0

hosts/home-morefine/docker/gitea/docker-compose.yaml

@@ -23,6 +23,8 @@
       - "127.0.0.1:2222:22"
     depends_on:
       - gitea_db
+    dns:
+      - 192.168.1.131 # host pi-hole
     secrets:
       - GITEA__DATABASE__PASSWD
       - GITEA__MAILER__USER

hosts/home-morefine/docker/glances/docker-compose.yaml

@@ -0,0 +1,21 @@
+services:
+  glances:
+    container_name: glances
+    networks:
+      - caddy_internal
+    hostname: lab-home-morefin
+    restart: always
+    ports:
+      - '61208-61209:61208-61209'
+    environment:
+      - TZ=Europe/Minsk
+      - "GLANCES_OPT=-w"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /etc/os-release:/etc/os-release:ro
+    pid: host
+    image: 'nicolargo/glances:latest-full'
+
+networks:
+  caddy_internal:
+    external: true

hosts/home-morefine/docker/homepage/config/services.yaml

@@ -35,12 +35,12 @@
         statusStyle: 'dot'
 
 - Toolkit:
-    - Librechat:
+#    - Librechat:
-        href: https://ai.catmedved.com/
+#        href: https://ai.catmedved.com/
-        description: LibreChat AI
+#        description: LibreChat AI
-        icon: librechat.png
+#        icon: librechat.png
-        siteMonitor: http://librechat:3080
+#        siteMonitor: http://librechat:3080
-        statusStyle: 'dot'
+#        statusStyle: 'dot'
     - Databasus:
         href: https://databasus.catmedved.com/
         description: DB Backups
@@ -63,7 +63,7 @@
         href: https://gitea.catmedved.com/
         description: Gitea private git
         icon: gitea.png
-        siteMonitor: http://gitea.catmedved.com:80
+        siteMonitor: http://gitea:3000
         statusStyle: 'dot'
     - Vaultwarden:
         href: https://passwords.catmedved.com/
@@ -80,10 +80,10 @@
         icon: beszel.png
         siteMonitor: http://beszel:8090
         statusStyle: 'dot'
-    - Auth:
+#    - Auth:
-        href: https://auth.catmedved.com/
+#        href: https://auth.catmedved.com/
-        description: Authentik
+#        description: Authentik
-        icon: authentik.png
+#        icon: authentik.png
 #        siteMonitor: http://authentik_server:9000/outpost.goauthentik.io/ping
 #        statusStyle: 'dot'
     - Pi-Hole:
@@ -111,3 +111,8 @@
           url: http://glances:61208
           metric: info
 
+- Servces:
+    - Fastmail:
+        href: https://app.fastmail.com/mail/Inbox/?u=80f94011
+        description: Fastmail
+        icon: fastmail.png

hosts/home-morefine/docker/immich/docker-compose.yml

@@ -25,6 +25,7 @@ services:
       - .env
     environment:
       DB_PASSWORD_FILE: /run/secrets/DB_PASSWORD
+      REDIS_HOSTNAME: immich_redis
     ports:
       - '10.8.0.3:2283:2283'
     depends_on:
@@ -33,12 +34,14 @@ services:
     restart: always
     secrets:
       - DB_PASSWORD
-    #healthcheck:
+    healthcheck:
-    #  disable: false
+      disable: false
 
   immich-machine-learning:
     networks:
       - immich_internal
+    dns:
+      - 192.168.1.131 # pi-hole
     container_name: immich_machine_learning
     # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
     # Example tag: ${IMMICH_VERSION:-release}-cuda
@@ -51,14 +54,14 @@ services:
     env_file:
       - .env
     restart: always
-    #healthcheck:
+    healthcheck:
-    #  disable: false
+      disable: false
 
   redis:
+    container_name: immich_redis
+    image: docker.io/valkey/valkey:9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63
     networks:
       - immich_internal
-    container_name: immich_redis
-    image: docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8
     healthcheck:
       test: redis-cli ping || exit 1
     restart: always
@@ -70,17 +73,19 @@ services:
       POSTGRES_USER: ${DB_USERNAME}
       POSTGRES_DB: ${DB_DATABASE_NAME}
       POSTGRES_INITDB_ARGS: '--data-checksums'
-    #healthcheck:
+    healthcheck:
-    #  test: [ "CMD-SHELL", "pg_isready -U ${DB_USERNAME} -d ${DB_DATABASE_NAME}" ]
+      test: ["CMD-SHELL", "pg_isready -U ${DB_USERNAME} -d ${DB_DATABASE_NAME} -h 127.0.0.1 || exit 1"]
-    #  interval: 30s
+      interval: 30s
-    #  timeout: 10s
+      timeout: 5s
-    #  retries: 3
+      retries: 5
-    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
+      start_period: 40s
+    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
     networks:
       - immich_internal
     restart: always
     secrets:
       - DB_PASSWORD
+    shm_size: 256mb
     volumes:
       # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
       - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
@@ -93,4 +98,4 @@ networks:
 
 secrets:
   DB_PASSWORD:
-    file: /run/secrets/immich/DB_PASSWORD
+    file: /run/secrets/immich/DB_PASSWORD

hosts/home-morefine/docker/mealie/.env

@@ -0,0 +1,11 @@
+# apps user
+PUID=995
+PGID=995
+TZ=Europe/Minsk
+BASE_URL=https://recepies.catmedved.com
+ALLOW_SIGNUP=true
+
+SMTP_HOST=smtp.fastmail.com
+SMTP_PORT=587
+SMTP_FROM_NAME=Mealie
+SMTP_AUTH_STRATEGY=TLS

hosts/home-morefine/docker/mealie/docker-compose.yaml

@@ -0,0 +1,43 @@
+services:
+  mealie:
+    image: ghcr.io/mealie-recipes/mealie:v3.10.2
+    container_name: mealie
+    restart: unless-stopped
+    #    ports:
+    #        - "9000:9000"
+    networks:
+      - caddy_internal
+    dns:
+      - 192.168.1.131 # pi-hole
+    deploy:
+      resources:
+        limits:
+          memory: 2000M #
+    volumes:
+      - /srv/rundata/mealie/mealie_data:/app/data/
+    env_file:
+      - .env
+    environment:
+      SMTP_FROM_EMAIL_FILE: /run/secrets/SMTP_FROM_EMAIL
+      SMTP_USER_FILE: /run/secrets/SMTP_USER
+      SMTP_PASSWORD_FILE: /run/secrets/SMTP_PASSWORD
+      OPENAI_API_KEY_FILE: /run/secrets/OPENAI_API_KEY
+    secrets:
+      - SMTP_FROM_EMAIL
+      - SMTP_USER
+      - SMTP_PASSWORD
+      - OPENAI_API_KEY
+
+networks:
+  caddy_internal:
+    external: true
+
+secrets:
+  SMTP_FROM_EMAIL:
+    file: /run/secrets/mealie/SMTP_FROM_EMAIL
+  SMTP_USER:
+    file: /run/secrets/mealie/SMTP_USER
+  SMTP_PASSWORD:
+    file: /run/secrets/mealie/SMTP_PASSWORD
+  OPENAI_API_KEY:
+    file: /run/secrets/mealie/OPENAI_API_KEY

hosts/home-morefine/docker/mealie/secrets.sops.yaml

@@ -0,0 +1,28 @@
+OPENAI_API_KEY: ENC[AES256_GCM,data:je5aR2mmV+e87AcWwpr8AsdaubDSTZWcNmLbWSkKowz6shl6VFBY6F30HDq8ZpVmTZgxFYoXqolzp/NOOdfCpgK4feduMMB5/dV2y66SA7K4nI/iQrFhY9ynDTMCRkIJ+7YPIpH8NX0V5xM72OaB6ax2VYmfQXbBGt74FCqe4bNgy2QOZBhVEMPADi67oGsv0+bfUNtTMepvZqgSZEI5TD9A7gI=,iv:xiAU+uttRIYJ2VbRadRlDFa6Dh84GWmK6YY0N2lz/EU=,tag:us+Gqd8VIYFusIf0RpBJpQ==,type:str]
+SMTP_FROM_EMAIL: ENC[AES256_GCM,data:zAR1DkpDHKGUSbtr2SsdpM3te0g=,iv:8c+Oh041FRq3Pxol2V5y1NswDsaFu3jWra/av2nzcLo=,tag:JMKyrG0Pd/1avZUoz4EC0w==,type:str]
+SMTP_USER: ENC[AES256_GCM,data:Eu54STOpUBEhDsgOYg3HNDpf,iv:vuvqnZ0aZNbRbhaGEV97QmTcKfUGvgjuxU++KvZvtOk=,tag:XJf98vJ7hgRkFT16VhV50Q==,type:str]
+SMTP_PASSWORD: ENC[AES256_GCM,data:ojuqLrn21mGEsBwREJnHcw==,iv:f9hQi6rbLGMvlMF/eUHqnDh9i/vnF9PtWzI61PsuNK8=,tag:lzgJXXpxIY9YkbJLSZLv4w==,type:str]
+sops:
+    age:
+        - recipient: age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzaWZCK2tCVEo5UnFZMUQy
+            VWRVN3ZaNzlsUGZnVjJ4Q0FoTE00VkFVYkdZClBTajFBYVhJZUlYdEdQRWFTY3Iy
+            Y1B4NmFUYkZJSmN6TzdlV25aMG1kYVEKLS0tIDRVRGJyRVBTYno2dG9nUzdTQTNw
+            bGl1YTE0NHl2dXhIbE1KQlptcWZKTlUKKiIh02s3ADYEf5QOtcVllU1jPga2R359
+            /IkK7PTWtrGh0334ChjPi8vsArDr661eSgMJQBT8cas+Z8LqbDmmJg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIeFN3T0xzblJ1SXZLaUZl
+            Myt2cFpCdUdZZm13SjFNWlprSVBvaDdOMEVZCkRROHBOalRXMHpxNUh5QWtXK0VR
+            cWV5aldRaWt6Z3JLSjVvWnJTQlZMeFUKLS0tIHh3anRTYitVTGhvR0dXYkp6QWs5
+            eTM3eEhrYkJSc3IxVGJlSzJmOUd6bncK8q0pHj60nXdWdqUV10dv02nkTtGHyLpb
+            WyzjLLLE+fqxZFASi+e5sM7cbCdYf/pronruobSszy1uEVDftIRy5Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-13T14:46:23Z"
+    mac: ENC[AES256_GCM,data:a+jLfsDyuB98ORFFOYF8Zn+yo+PmyUvtsBpUrDEs35L2883D+EvD1vwk/FlsGU7IRk5TgTZS921X+hdVTjXPwfjbE1IBnCzaXzgbrfGZXWbhXiDKfh6/yys9xJfJJKEAARNBNVPDv5ilrO7tf/5awmnb72xaWvdViv8pLsXJBZo=,iv:DNEDTBC4xNXADasU7WzQ5Mu9uF0+bofw5uMj07fruV8=,tag:WaAnknCd5pJcO2dzawh18g==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/home-morefine/docker/pihole/docker-compose.yaml

@@ -0,0 +1,29 @@
+services:
+  pihole:
+    image: pihole/pihole:latest
+    container_name: pihole
+    restart: unless-stopped
+    networks:
+      - caddy_internal
+    ports:
+    #  - "8081:80"
+      - "53:53/tcp"
+      - "53:53/udp"
+    environment:
+      TZ: 'Europe/Minsk'
+      WEBPASSWORD_FILE: /run/secrets/pihole/WEBPASSWORD
+      #FTLCONF_webserver_api_password: WEBPASSWORD_FILE
+      FTLCONF_dns_listeningMode: 'all'
+    volumes:
+      - /srv/rundata/pihole/etc-pihole:/etc/pihole/
+      - /srv/rundata/pihole/dnsmasq.d:/etc/dnsmasq.d/
+    dns:
+      - 127.0.0.1
+      - 1.1.1.1
+    #      - 8.8.8.8
+    cap_add:
+      - NET_ADMIN
+
+networks:
+  caddy_internal:
+    external: true

hosts/home-morefine/docker/pihole/secrets.sops.yaml

@@ -0,0 +1,25 @@
+WEBPASSWORD: ENC[AES256_GCM,data:edQU3J4QPY7RsQuI1ZE=,iv:cGSMcG9olkMY93kNF386lPjBGHhUhj+mF/ly7vWMrq4=,tag:fNRBj3gRMQMytZWSOa66lQ==,type:str]
+sops:
+    age:
+        - recipient: age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6SXdIQktJUTNQRXVoenlu
+            Y2RsMmRuM084eHRTdnZnaG9uUFZhRHllZ3kwCjFYV01lR2d0ci9YR09TcVp4Y1lC
+            clNkckNEbUxZeHI5UnFPd2ZzZkVTNjAKLS0tIElSYlp6ZGg1UTNNQk5QbitjWlIy
+            QjBJM0h1bmw2eGt1Sy9WUFd0RmNMSTgK64gSZP+MSlrHx3//MLoJQf+Nyxgqx/ab
+            mdvw8x33dimOgJSPK8yJqxVAPzjasboz5Nm8CJsAemX+XyUJxh8nwA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WTlKV0lSOEZtU1NhVHBM
+            Z1NocEpUMXhpVDE1dW9lRk41cTlDdUthNEhzCkszVkc2NTJkbWRRTWx2b1p0d3dv
+            eThXT05LbDhBWHRCV1BYSnduMGNMQm8KLS0tIE1JbVZkblNXdktqUEYzak8zTmRL
+            amVHRDJlVUpxeFg0S0RmUXUrckN4VGsKlpPBESTbM+F2VjwwP/RiTFnPXZgW47n4
+            PdD5Tv7tqFCP/WDX+SWIgNvhSg9KqPYbtmy93wfkxYvOEc4e/mOq+w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-13T11:14:33Z"
+    mac: ENC[AES256_GCM,data:O5mdN3OPNcgaL+TRnYx4Shj9Xsyn3XFmCJqxx93FbGTgI8Se6m5sPrYBCfl2xhk2ZlejN5Ttk3rKRL2G4L02tPGK6JZxsUQ2O93W3nUCUXFo0nJhANjrb+piLa0B+NxVl23QSo/i2MYAhJwkH/qi9Tl/hXJybrAVRBIhKgKlGBc=,iv:BNdYQ6NYs/IMHMmmXOGB+2br0wA+VaxnzWUgELY49F0=,tag:t88fAbdEf6yriynFENsQZQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/home-morefine/docker/postgres/docker-compose.yml

@@ -0,0 +1,31 @@
+services:
+  postgres:
+    image: postgres:18
+    container_name: postgres
+    restart: unless-stopped
+    environment:
+#      POSTGRES_PASSWORD_FILE: /run/secrets/POSTGRES_PASSWORD
+      POSTGRES_INITDB_ARGS: "--data-checksums --locale=C --encoding=UTF8 --auth-host=scram-sha-256"
+      POSTGRES_HOST_AUTH_METHOD: "scram-sha-256"
+      TZ: Europe/Minsk
+    networks:
+      - postgres
+    ports:
+      - "127.0.0.1:5432:5432"
+    volumes:
+      - /srv/postgres18:/var/lib/postgresql
+#    secrets:
+#      - POSTGRES_PASSWORD
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+#secrets:
+#  POSTGRES_PASSWORD:
+#    file: ./POSTGRES_PASSWORD
+
+networks:
+  postgres:
+    name: postgres

hosts/home-morefine/docker/vaultwarden/docker-compose.yaml

@@ -0,0 +1,20 @@
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    container_name: vaultwarden
+    restart: unless-stopped
+    environment:
+      DOMAIN: "https://passwords.catmedved.com"
+    volumes:
+      - /srv/rundata/vaultwarden/vw-data/:/data/
+    #    ports:
+    #      - 5080:80
+    networks:
+      - caddy_internal
+    dns:
+      - 192.168.1.131 # pi-hole
+
+networks:
+  caddy_internal:
+    name: caddy_internal
+    external: true

hosts/lab-by-02/docker/beszel/docker-compose.yaml

@@ -0,0 +1,25 @@
+services:
+  beszel-agent:
+    image: henrygd/beszel-agent
+    container_name: beszel-agent
+    restart: unless-stopped
+    network_mode: host
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./beszel_agent_data:/var/lib/beszel-agent
+      # monitor other disks / partitions by mounting a folder in /extra-filesystems
+      # - /mnt/disk/.beszel:/extra-filesystems/sda1:ro
+    environment:
+      LISTEN: 45876
+      HUB_URL: https://beszel.catmedved.com
+      KEY_FILE: /run/secrets/AGENT_KEY
+      TOKEN_FILE: /run/secrets/AGENT_TOKEN
+    secrets:
+      - KEY_FILE
+      - TOKEN_FILE
+
+secrets:
+  KEY_FILE:
+    file: /run/secrets/beszel/AGENT_KEY
+  TOKEN_FILE:
+    file: /run/secrets/beszel/AGENT_TOKEN

hosts/lab-by-02/docker/beszel/secrets.sops.yaml

@@ -0,0 +1,26 @@
+AGENT_KEY: ENC[AES256_GCM,data:21+ujbBL/qZU/D7DhykaAgL1tg5puAa3Unh+saeO8sC2ozgAEIhgw/ctd0Bcq86F3yzhMyiP7MEJuVPOzxcODWehFnYpxhzLqqBIBWb/1QY=,iv:GIvs2L/3OuIzyzAIkwasZ+IyIQOmFe6GJeJ68VBH8XM=,tag:CZUrhBbTffPcSt+W0pbOLA==,type:str]
+AGENT_TOKEN: ENC[AES256_GCM,data:K1QCpuyCT29VjdX0iBgLvsxu4jhAScCyNfka4EmYjxC9T2cR,iv:Cmo3rRUN3XNL3bFDuwaGeW0tlBCS61lG5XmCooNFXL0=,tag:k4doY+ymr3NasJg15hvvIg==,type:str]
+sops:
+    age:
+        - recipient: age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvdEg3MlBQc0orTmFKZmh0
+            OTg4bXpNQzFJWmJwaUNmVk9uNVNobmgwZ0JvCnErN2U0R1dFWmRCRjc2ZGZkTDcr
+            dy9FYUNzTUwyQUpXSm9kclJKYW55QjgKLS0tIEZKQTBCcndIMnVQQXN2ZDFqNWZN
+            Zkc3bm1taDd1b2d1VWcrVmxUTDJFcEUKXpe1NE1zZ+qKyCXDDXgEi6uVZ5WATOnT
+            ZjSP3bzPJBRPqz3zxAcrgwOKLNKJlk6IiCVCTkorzfQMv4iCuUsLQA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdnpPa1YrZGNwUk5ReUlH
+            NjFuMk1QV1ZPM0d1TkFmRXFSVGtidEk2SEZRCklTdVhIL1dRRm9mdjg4SGZjenVo
+            dmxYZ2ZEaW1FeDQvNWFSOHJucjNHdmcKLS0tIDhvclZIMDlwajFqbW9DTHUwZHJJ
+            U1cyQzc3TlhybW43cS96QWxzYjlPcUkKB28IAAO5PpUlef8JnD8JvWxvdoToWOgA
+            LV3lhShJr+/CcT9o5Sxt9ijY5FNUDA/H8nVlECgoTfE0B9mmCiXL7g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-13T15:18:29Z"
+    mac: ENC[AES256_GCM,data:rYkCfNnsM6AWXnv/8dFGqCWf5wRVM6YS9ZnUjWuzRnlhuHnwMxPFxEoLeo445/dVkflBlnMeVKtkMZlM9byd3aWK4mcIiqxeZ+MTAjMt2jzqqj7Kf/j2BoCAazpJSkqqFCfCpp0IXPtWQPZTEz7Ki4ozZUeHa73+nZoqjNPDSC8=,iv:yn4atWog6/yYw1ZYlTK7eZdyUTv0d1D66B/9/QL0joo=,tag:fe50DGtkRM2HiZno8IIVSg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/lab-by-02/docker/caddy/Caddyfile

@@ -0,0 +1,34 @@
+{
+    email ulakar@fastmail.com
+    admin off
+}
+
+# B
+beszel.catmedved.com {
+    reverse_proxy http://10.8.0.3:8090
+}
+
+# G
+gameyfin.catmedved.com {
+    reverse_proxy http://10.8.0.3:8080
+}
+
+# M
+media.kladovka52.com {
+    reverse_proxy http://10.8.0.4:8096
+}
+
+music.catmedved.com {
+    reverse_proxy http://10.8.0.3:4533
+}
+
+# P
+photo.catmedved.com {
+    reverse_proxy http://10.8.0.3:2283
+}
+
+# V
+vpnwg.ulakar.com {
+    reverse_proxy localhost:51821
+}
+}

hosts/lab-by-02/docker/caddy/docker-compose.yml

@@ -0,0 +1,26 @@
+services:
+  caddy:
+    image: caddy:latest
+    container_name: caddy
+    restart: unless-stopped
+    #    networks:
+    #      - caddy
+    network_mode: "container:wgeasy"
+    #    ports:
+    #      - "80:80"
+    #      - "443:443"
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile
+      - caddy_data:/data
+      - caddy_config:/config
+    environment:
+      - TZ=Europe/Minsk
+
+#networks:
+#  caddy:
+#    name: caddy
+#    external: false
+
+volumes:
+  caddy_data:
+  caddy_config:

hosts/lab-by-02/docker/wgeasy/docker-compose.yml

@@ -0,0 +1,45 @@
+services:
+  wg-easy:
+    environment:
+      #  Optional:
+      #  - PORT=80
+      #  - HOST="vpnwg.ulakar.com"
+      - INSECURE=false
+
+    image: ghcr.io/wg-easy/wg-easy:15
+    container_name: wgeasy
+    networks:
+      #      caddy:
+      wg:
+        ipv4_address: 10.42.42.42
+        ipv6_address: fdcc:ad94:bacf:61a3::2a
+    volumes:
+      - ./data:/etc/wireguard
+      - /lib/modules:/lib/modules:ro
+    ports:
+      - "51820:51820/udp"
+      - "80:80"
+      - "443:443"
+    #  - "51821:51821/tcp"
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+      - net.ipv6.conf.all.disable_ipv6=0
+      - net.ipv6.conf.all.forwarding=1
+      - net.ipv6.conf.default.forwarding=1
+
+networks:
+  #  caddy:
+  #    external: true
+  wg:
+    driver: bridge
+    enable_ipv6: true
+    ipam:
+      driver: default
+      config:
+        - subnet: 10.42.42.0/24
+        - subnet: fdcc:ad94:bacf:61a3::/64

hosts/lab-by-02/docker/wgeasy/readme.md

@@ -0,0 +1,9 @@
+regular config path: `/etc/wireguard/wg0.conf`
+
+wgeasy adds row to match json with wg0 conf:
+
+`# Client: Name (Id)`
+
+Example:
+
+`# Client: Jalezze (4073b49a-ad08-4324-b4d0-bfe04d743fd3)`

hosts/lab-by-02/initial_setup.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+
+### ==== CONFIG ====
+NEW_USER="vk"
+NEW_USER_SSH_KEY='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrWDR47Kc44jCeM+DK+2J1MZgPm6FlHc7LTkN0loeWea0EMCu3rtzSRV6OUIMsbh6038m77kNmsoP7XjfYOdHLTEdYZ87Y4kd6O0VUSW0ldDCtrmFZBy7rI7YAnAh1Hup0Q4DaimDHx2UWrrXxUxKcuPw2eJtbN7/yhq9nrdTkr1kP213geHIcs91d+g9UrGSU2eMS8wGm67VSEgIQSiOoGiY422JzDR57x3EmH3M4bDw0kQFAwguBM7LtBG0oX/Znd4EjAZNnkqaGGqdaxxld3sqzs8EjXIgkEfvwp7qX9tW5qyyA2j3syg/qj89FaLW/CRmIKqxIZnYaweL4e2MhvHWE8CaMws5N801YuTdyvyQZSUHgNCe5MR9f6FihgPBX9M0qDAHlZ0oUKq6ScIUqz+JpWL/NTcOLYMCnBoL+JDIyzkwBzlJpreq4MmC7bjL6hjw5K0ykA9S8Kk4Cuarfw9OwSk5LiL/bVy2CDBtBBIzFg9Hd0TanSERjRQrhh7s= vk@jalezze'
+HOSTNAME_FQDN="lab-by-02.ulakar.com"
+### ===================================
+
+if [[ "$(id -u)" -ne 0 ]]; then
+  echo "Run this script under root user" >&2
+  exit 1
+fi
+
+echo "== Update System =="
+apt-get update -y
+apt-get upgrade -y
+
+if [[ -n "$HOSTNAME_FQDN" ]]; then
+  echo "== Set hostname: $HOSTNAME_FQDN =="
+  hostnamectl set-hostname "$HOSTNAME_FQDN"
+fi
+
+echo "== Create user $NEW_USER =="
+if id "$NEW_USER" >/dev/null 2>&1; then
+  echo "User $NEW_USER already exists. Skip."
+else
+  adduser --disabled-password --gecos "" "$NEW_USER"
+fi
+
+echo "== Add $NEW_USER into sudo =="
+usermod -aG sudo "$NEW_USER"
+
+# allow sudo commands without password
+echo "$NEW_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee "/etc/sudoers.d/$NEW_USER"
+sudo chmod 440 "/etc/sudoers.d/$NEW_USER"
+
+echo "== Setup SSH-key for $NEW_USER =="
+USER_HOME=$(getent passwd "$NEW_USER" | cut -d: -f6)
+mkdir -p "$USER_HOME/.ssh"
+chmod 700 "$USER_HOME/.ssh"
+
+AUTH_KEYS="$USER_HOME/.ssh/authorized_keys"
+touch "$AUTH_KEYS"
+grep -qxF "$NEW_USER_SSH_KEY" "$AUTH_KEYS" || echo "$NEW_USER_SSH_KEY" >> "$AUTH_KEYS"
+chmod 600 "$AUTH_KEYS"
+chown -R "$NEW_USER:$NEW_USER" "$USER_HOME/.ssh"
+
+echo "== Setup SSH =="
+
+cat >/etc/ssh/sshd_config.d/100-security.conf <<EOF
+PermitRootLogin no
+PasswordAuthentication no
+EOF
+
+echo "== Reload SSH daemon =="
+
+if systemctl reload ssh 2>/dev/null; then
+    echo "SSH reloaded via ssh.service"
+elif systemctl reload sshd 2>/dev/null; then
+    echo "SSH reloaded via sshd.service"
+else
+    echo "Warning: could not reload SSH daemon"
+fi
+
+echo "== Install base utilities =="
+apt-get install -y \
+  net-tools \
+  htop \
+  curl \
+  wget \
+  git \
+  vim \
+  gnupg \
+  ca-certificates \
+  lsb-release
+
+echo "== Finished. Check SSH for $NEW_USER =="

hosts/lab-by-02/install_base_utilities.sh

@@ -0,0 +1,13 @@
+echo "== Install base utilities =="
+apt-get install -y \
+  net-tools \
+  htop \
+  curl \
+  wget \
+  git \
+  vim \
+  gnupg \
+  ca-certificates \
+  lsb-release
+
+echo "== Finished install base utilities =="

hosts/lab-by-02/setup_docker.sh

@@ -0,0 +1,8 @@
+echo "== Docker: install from get.docker.com =="
+curl -fsSL https://get.docker.com | sh
+
+echo "== Docker: add $NEW_USER into docker group =="
+usermod -aG docker "$NEW_USER"
+systemctl enable --now docker
+
+echo "== Finished docker installation =="

hosts/lab-by-02/setup_fail2ban.sh

@@ -0,0 +1,4 @@
+echo "== Fail2ban =="
+apt-get install -y fail2ban
+systemctl enable --now fail2ban
+echo "== Fail2ban enabled =="

hosts/lab-by-02/setup_ufw.sh

@@ -0,0 +1,12 @@
+echo "== UFW =="
+apt-get install -y ufw
+
+ufw default deny incoming
+ufw default allow outgoing
+ufw allow 22/tcp
+ufw allow 80/tcp
+ufw allow 443/tcp
+# enable with interactive = off
+echo "y" | ufw enable
+
+echo "== UFW enabled =="