me/homelab-infra
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: me:a0c18e0c4b97d8117695efd5f002739583137472
Branches Tags
me:main
...
compare: me:main
Branches Tags
me:main

9 Commits
a0c18e0c4b ... main

Author SHA1 Message Date
v.karaychentsev
68df7ab696 immich: try add dns to reach pc for ML tasks 2026-02-15 00:32:24 +03:00
v.karaychentsev
c99cdf11dc try fix issue with broken redis 2026-02-15 00:26:47 +03:00
v.karaychentsev
3328ceecf7 immich: fix network for redis image after update 2026-02-14 19:35:23 +03:00
v.karaychentsev
f543c35d29 immich - update to latest version v2.5.6 2026-02-14 13:02:29 +03:00
v.karaychentsev
428f694eaa add initial setup scripts used for by-02 host (vpnwg.ulakar.com) 2026-02-13 18:24:00 +03:00
v.karaychentsev
cc467dcdf4 add beszel config 2026-02-13 18:21:08 +03:00
v.karaychentsev
4dce2b7037 add wgeasy setup config 2026-02-13 18:16:01 +03:00
v.karaychentsev
4559164bff vpn host - add caddy 2026-02-13 18:10:05 +03:00
v.karaychentsev
54bbce83a1 add postgres config. used for testing purposes for now 2026-02-13 18:07:45 +03:00
15 changed files with 353 additions and 13 deletions
Expand all files Collapse all files

4
.sops.yaml
View File

@@ -7,3 +7,7 @@
age: age:
- age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk # me - age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk # me
- age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73 # server - age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73 # server
- path_regex: '(^|[\\/]).*\.sops\.conf$'
age:
- age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk # me
- age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73 # server

31
hosts/home-morefine/docker/immich/docker-compose.yml
View File

@@ -25,6 +25,7 @@ services:
- .env - .env
environment: environment:
DB_PASSWORD_FILE: /run/secrets/DB_PASSWORD DB_PASSWORD_FILE: /run/secrets/DB_PASSWORD
REDIS_HOSTNAME: immich_redis
ports: ports:
- '10.8.0.3:2283:2283' - '10.8.0.3:2283:2283'
depends_on: depends_on:
@@ -33,12 +34,14 @@ services:
restart: always restart: always
secrets: secrets:
- DB_PASSWORD - DB_PASSWORD
#healthcheck: healthcheck:
# disable: false disable: false
immich-machine-learning: immich-machine-learning:
networks: networks:
- immich_internal - immich_internal
dns:
- 192.168.1.131 # pi-hole
container_name: immich_machine_learning container_name: immich_machine_learning
# For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag. # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
# Example tag: ${IMMICH_VERSION:-release}-cuda # Example tag: ${IMMICH_VERSION:-release}-cuda
@@ -51,14 +54,14 @@ services:
env_file: env_file:
- .env - .env
restart: always restart: always
#healthcheck: healthcheck:
# disable: false disable: false
redis: redis:
container_name: immich_redis
image: docker.io/valkey/valkey:9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63
networks: networks:
- immich_internal - immich_internal
container_name: immich_redis
image: docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8
healthcheck: healthcheck:
test: redis-cli ping || exit 1 test: redis-cli ping || exit 1
restart: always restart: always
@@ -70,17 +73,19 @@ services:
POSTGRES_USER: ${DB_USERNAME} POSTGRES_USER: ${DB_USERNAME}
POSTGRES_DB: ${DB_DATABASE_NAME} POSTGRES_DB: ${DB_DATABASE_NAME}
POSTGRES_INITDB_ARGS: '--data-checksums' POSTGRES_INITDB_ARGS: '--data-checksums'
#healthcheck: healthcheck:
# test: [ "CMD-SHELL", "pg_isready -U ${DB_USERNAME} -d ${DB_DATABASE_NAME}" ] test: ["CMD-SHELL", "pg_isready -U ${DB_USERNAME} -d ${DB_DATABASE_NAME} -h 127.0.0.1 || exit 1"]
# interval: 30s interval: 30s
# timeout: 10s timeout: 5s
# retries: 3 retries: 5
image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0 start_period: 40s
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
networks: networks:
- immich_internal - immich_internal
restart: always restart: always
secrets: secrets:
- DB_PASSWORD - DB_PASSWORD
shm_size: 256mb
volumes: volumes:
# Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
- ${DB_DATA_LOCATION}:/var/lib/postgresql/data - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
@@ -93,4 +98,4 @@ networks:
secrets: secrets:
DB_PASSWORD: DB_PASSWORD:
file: /run/secrets/immich/DB_PASSWORD file: /run/secrets/immich/DB_PASSWORD

31
hosts/home-morefine/docker/postgres/docker-compose.yml Normal file
View File

@@ -0,0 +1,31 @@
services:
postgres:
image: postgres:18
container_name: postgres
restart: unless-stopped
environment:
# POSTGRES_PASSWORD_FILE: /run/secrets/POSTGRES_PASSWORD
POSTGRES_INITDB_ARGS: "--data-checksums --locale=C --encoding=UTF8 --auth-host=scram-sha-256"
POSTGRES_HOST_AUTH_METHOD: "scram-sha-256"
TZ: Europe/Minsk
networks:
- postgres
ports:
- "127.0.0.1:5432:5432"
volumes:
- /srv/postgres18:/var/lib/postgresql
# secrets:
# - POSTGRES_PASSWORD
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres"]
interval: 30s
timeout: 10s
retries: 3
#secrets:
# POSTGRES_PASSWORD:
# file: ./POSTGRES_PASSWORD
networks:
postgres:
name: postgres

25
hosts/lab-by-02/docker/beszel/docker-compose.yaml Normal file
View File

@@ -0,0 +1,25 @@
services:
beszel-agent:
image: henrygd/beszel-agent
container_name: beszel-agent
restart: unless-stopped
network_mode: host
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./beszel_agent_data:/var/lib/beszel-agent
# monitor other disks / partitions by mounting a folder in /extra-filesystems
# - /mnt/disk/.beszel:/extra-filesystems/sda1:ro
environment:
LISTEN: 45876
HUB_URL: https://beszel.catmedved.com
KEY_FILE: /run/secrets/AGENT_KEY
TOKEN_FILE: /run/secrets/AGENT_TOKEN
secrets:
- KEY_FILE
- TOKEN_FILE
secrets:
KEY_FILE:
file: /run/secrets/beszel/AGENT_KEY
TOKEN_FILE:
file: /run/secrets/beszel/AGENT_TOKEN

26
hosts/lab-by-02/docker/beszel/secrets.sops.yaml Normal file
View File

@@ -0,0 +1,26 @@
AGENT_KEY: ENC[AES256_GCM,data:21+ujbBL/qZU/D7DhykaAgL1tg5puAa3Unh+saeO8sC2ozgAEIhgw/ctd0Bcq86F3yzhMyiP7MEJuVPOzxcODWehFnYpxhzLqqBIBWb/1QY=,iv:GIvs2L/3OuIzyzAIkwasZ+IyIQOmFe6GJeJ68VBH8XM=,tag:CZUrhBbTffPcSt+W0pbOLA==,type:str]
AGENT_TOKEN: ENC[AES256_GCM,data:K1QCpuyCT29VjdX0iBgLvsxu4jhAScCyNfka4EmYjxC9T2cR,iv:Cmo3rRUN3XNL3bFDuwaGeW0tlBCS61lG5XmCooNFXL0=,tag:k4doY+ymr3NasJg15hvvIg==,type:str]
sops:
age:
- recipient: age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvdEg3MlBQc0orTmFKZmh0
OTg4bXpNQzFJWmJwaUNmVk9uNVNobmgwZ0JvCnErN2U0R1dFWmRCRjc2ZGZkTDcr
dy9FYUNzTUwyQUpXSm9kclJKYW55QjgKLS0tIEZKQTBCcndIMnVQQXN2ZDFqNWZN
Zkc3bm1taDd1b2d1VWcrVmxUTDJFcEUKXpe1NE1zZ+qKyCXDDXgEi6uVZ5WATOnT
ZjSP3bzPJBRPqz3zxAcrgwOKLNKJlk6IiCVCTkorzfQMv4iCuUsLQA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdnpPa1YrZGNwUk5ReUlH
NjFuMk1QV1ZPM0d1TkFmRXFSVGtidEk2SEZRCklTdVhIL1dRRm9mdjg4SGZjenVo
dmxYZ2ZEaW1FeDQvNWFSOHJucjNHdmcKLS0tIDhvclZIMDlwajFqbW9DTHUwZHJJ
U1cyQzc3TlhybW43cS96QWxzYjlPcUkKB28IAAO5PpUlef8JnD8JvWxvdoToWOgA
LV3lhShJr+/CcT9o5Sxt9ijY5FNUDA/H8nVlECgoTfE0B9mmCiXL7g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-13T15:18:29Z"
mac: ENC[AES256_GCM,data:rYkCfNnsM6AWXnv/8dFGqCWf5wRVM6YS9ZnUjWuzRnlhuHnwMxPFxEoLeo445/dVkflBlnMeVKtkMZlM9byd3aWK4mcIiqxeZ+MTAjMt2jzqqj7Kf/j2BoCAazpJSkqqFCfCpp0IXPtWQPZTEz7Ki4ozZUeHa73+nZoqjNPDSC8=,iv:yn4atWog6/yYw1ZYlTK7eZdyUTv0d1D66B/9/QL0joo=,tag:fe50DGtkRM2HiZno8IIVSg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

34
hosts/lab-by-02/docker/caddy/Caddyfile Normal file
View File

@@ -0,0 +1,34 @@
{
email ulakar@fastmail.com
admin off
}
# B
beszel.catmedved.com {
reverse_proxy http://10.8.0.3:8090
}
# G
gameyfin.catmedved.com {
reverse_proxy http://10.8.0.3:8080
}
# M
media.kladovka52.com {
reverse_proxy http://10.8.0.4:8096
}
music.catmedved.com {
reverse_proxy http://10.8.0.3:4533
}
# P
photo.catmedved.com {
reverse_proxy http://10.8.0.3:2283
}
# V
vpnwg.ulakar.com {
reverse_proxy localhost:51821
}
}

26
hosts/lab-by-02/docker/caddy/docker-compose.yml Normal file
View File

@@ -0,0 +1,26 @@
services:
caddy:
image: caddy:latest
container_name: caddy
restart: unless-stopped
# networks:
# - caddy
network_mode: "container:wgeasy"
# ports:
# - "80:80"
# - "443:443"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- caddy_data:/data
- caddy_config:/config
environment:
- TZ=Europe/Minsk
#networks:
# caddy:
# name: caddy
# external: false
volumes:
caddy_data:
caddy_config:

19
hosts/lab-by-02/docker/wgeasy/data/wg0.sops.conf Normal file
View File

File diff suppressed because one or more lines are too long

45
hosts/lab-by-02/docker/wgeasy/docker-compose.yml Normal file
View File

@@ -0,0 +1,45 @@
services:
wg-easy:
environment:
# Optional:
# - PORT=80
# - HOST="vpnwg.ulakar.com"
- INSECURE=false
image: ghcr.io/wg-easy/wg-easy:15
container_name: wgeasy
networks:
# caddy:
wg:
ipv4_address: 10.42.42.42
ipv6_address: fdcc:ad94:bacf:61a3::2a
volumes:
- ./data:/etc/wireguard
- /lib/modules:/lib/modules:ro
ports:
- "51820:51820/udp"
- "80:80"
- "443:443"
# - "51821:51821/tcp"
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv6.conf.all.forwarding=1
- net.ipv6.conf.default.forwarding=1
networks:
# caddy:
# external: true
wg:
driver: bridge
enable_ipv6: true
ipam:
driver: default
config:
- subnet: 10.42.42.0/24
- subnet: fdcc:ad94:bacf:61a3::/64

9
hosts/lab-by-02/docker/wgeasy/readme.md Normal file
View File

@@ -0,0 +1,9 @@
regular config path: `/etc/wireguard/wg0.conf`
wgeasy adds row to match json with wg0 conf:
`# Client: Name (Id)`
Example:
`# Client: Jalezze (4073b49a-ad08-4324-b4d0-bfe04d743fd3)`

79
hosts/lab-by-02/initial_setup.sh Normal file
View File

@@ -0,0 +1,79 @@
#!/usr/bin/env bash
set -euo pipefail
### ==== CONFIG ====
NEW_USER="vk"
NEW_USER_SSH_KEY='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrWDR47Kc44jCeM+DK+2J1MZgPm6FlHc7LTkN0loeWea0EMCu3rtzSRV6OUIMsbh6038m77kNmsoP7XjfYOdHLTEdYZ87Y4kd6O0VUSW0ldDCtrmFZBy7rI7YAnAh1Hup0Q4DaimDHx2UWrrXxUxKcuPw2eJtbN7/yhq9nrdTkr1kP213geHIcs91d+g9UrGSU2eMS8wGm67VSEgIQSiOoGiY422JzDR57x3EmH3M4bDw0kQFAwguBM7LtBG0oX/Znd4EjAZNnkqaGGqdaxxld3sqzs8EjXIgkEfvwp7qX9tW5qyyA2j3syg/qj89FaLW/CRmIKqxIZnYaweL4e2MhvHWE8CaMws5N801YuTdyvyQZSUHgNCe5MR9f6FihgPBX9M0qDAHlZ0oUKq6ScIUqz+JpWL/NTcOLYMCnBoL+JDIyzkwBzlJpreq4MmC7bjL6hjw5K0ykA9S8Kk4Cuarfw9OwSk5LiL/bVy2CDBtBBIzFg9Hd0TanSERjRQrhh7s= vk@jalezze'
HOSTNAME_FQDN="lab-by-02.ulakar.com"
### ===================================
if [[ "$(id -u)" -ne 0 ]]; then
echo "Run this script under root user" >&2
exit 1
fi
echo "== Update System =="
apt-get update -y
apt-get upgrade -y
if [[ -n "$HOSTNAME_FQDN" ]]; then
echo "== Set hostname: $HOSTNAME_FQDN =="
hostnamectl set-hostname "$HOSTNAME_FQDN"
fi
echo "== Create user $NEW_USER =="
if id "$NEW_USER" >/dev/null 2>&1; then
echo "User $NEW_USER already exists. Skip."
else
adduser --disabled-password --gecos "" "$NEW_USER"
fi
echo "== Add $NEW_USER into sudo =="
usermod -aG sudo "$NEW_USER"
# allow sudo commands without password
echo "$NEW_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee "/etc/sudoers.d/$NEW_USER"
sudo chmod 440 "/etc/sudoers.d/$NEW_USER"
echo "== Setup SSH-key for $NEW_USER =="
USER_HOME=$(getent passwd "$NEW_USER" | cut -d: -f6)
mkdir -p "$USER_HOME/.ssh"
chmod 700 "$USER_HOME/.ssh"
AUTH_KEYS="$USER_HOME/.ssh/authorized_keys"
touch "$AUTH_KEYS"
grep -qxF "$NEW_USER_SSH_KEY" "$AUTH_KEYS" || echo "$NEW_USER_SSH_KEY" >> "$AUTH_KEYS"
chmod 600 "$AUTH_KEYS"
chown -R "$NEW_USER:$NEW_USER" "$USER_HOME/.ssh"
echo "== Setup SSH =="
cat >/etc/ssh/sshd_config.d/100-security.conf <<EOF
PermitRootLogin no
PasswordAuthentication no
EOF
echo "== Reload SSH daemon =="
if systemctl reload ssh 2>/dev/null; then
echo "SSH reloaded via ssh.service"
elif systemctl reload sshd 2>/dev/null; then
echo "SSH reloaded via sshd.service"
else
echo "Warning: could not reload SSH daemon"
fi
echo "== Install base utilities =="
apt-get install -y \
net-tools \
htop \
curl \
wget \
git \
vim \
gnupg \
ca-certificates \
lsb-release
echo "== Finished. Check SSH for $NEW_USER =="

13
hosts/lab-by-02/install_base_utilities.sh Normal file
View File

@@ -0,0 +1,13 @@
echo "== Install base utilities =="
apt-get install -y \
net-tools \
htop \
curl \
wget \
git \
vim \
gnupg \
ca-certificates \
lsb-release
echo "== Finished install base utilities =="

8
hosts/lab-by-02/setup_docker.sh Normal file
View File

@@ -0,0 +1,8 @@
echo "== Docker: install from get.docker.com =="
curl -fsSL https://get.docker.com | sh
echo "== Docker: add $NEW_USER into docker group =="
usermod -aG docker "$NEW_USER"
systemctl enable --now docker
echo "== Finished docker installation =="

4
hosts/lab-by-02/setup_fail2ban.sh Normal file
View File

@@ -0,0 +1,4 @@
echo "== Fail2ban =="
apt-get install -y fail2ban
systemctl enable --now fail2ban
echo "== Fail2ban enabled =="

12
hosts/lab-by-02/setup_ufw.sh Normal file
View File

@@ -0,0 +1,12 @@
echo "== UFW =="
apt-get install -y ufw
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
# enable with interactive = off
echo "y" | ufw enable
echo "== UFW enabled =="