diff --git a/.env.sample b/.env.sample index d108c91..4afa6b4 100644 --- a/.env.sample +++ b/.env.sample @@ -1,16 +1,19 @@ # Internal settings (they will not be passed to running services) CHECK_FOR_OUTDATED_CONFIG=true +DOCKER_COMPOSE_BINARY="docker compose" # or "docker-compose" + # General Traefik (reverse proxy) settings TRAEFIK_DOMAIN=mydomain.com ACME_MAIL=my-email@my-provider.com -PILOT_TOKEN=mytraefiktoken # Keep it empty if not needed # General settings TZ="Europe/Paris" # HTTP Auth HTTP_USER=myuser +# Use this command to generate your password: +# docker run -it --rm --entrypoint htpasswd ubuntu/apache2 -nb your_user your_password | cut -d ":" -f 2 HTTP_PASSWORD='mypassword_encoded' # Keep these simple quotes! # Host paths + containers permissions mapping @@ -22,25 +25,29 @@ PGID=1000 PUID=1000 # Database (for Nextcloud) -MYSQL_ROOT_PASSWORD=h4ckMePleAse889912101 +MYSQL_ROOT_PASSWORD=changeme MYSQL_DATABASE=nextcloud MYSQL_USER=nextcloud -MYSQL_PASSWORD=h4ckMePleAse4256718 +MYSQL_PASSWORD=changeme # Nextcloud -NEXTCLOUD_ADMIN_USER=admin -NEXTCLOUD_ADMIN_PASSWORD=h4ckMePleAse873214668 +NEXTCLOUD_ADMIN_USER=admin # you can change it +NEXTCLOUD_ADMIN_PASSWORD=changeme # Portainer -PORTAINER_ADMIN_PASSWORD=h4ckMePleAse +# Please ensure you encrypt your password first using this command: +# docker run -it --rm --entrypoint htpasswd ubuntu/apache2 -nbB admin your_password | cut -d ":" -f 2 | sed -e s/\\$/\\$\\$/g +PORTAINER_ADMIN_PASSWORD=changeme -# Flood username declared in deluge rpc daemon -FLOOD_PASSWORD=myfloodpassword +# Flood username declared in deluge RPC daemon +FLOOD_PASSWORD=changeme # Flood Password for Deluge RPC daemon FLOOD_AUTOCREATE_USER_IN_DELUGE_DAEMON=false +CALIBRE_PASSWORD=mycalibrepassword + # Wireguard custom endpoint -WIREGUARD_ENDPOINT= +WIREGUARD_ENDPOINT=changeme # Wireguard endpoint WIREGUARD_PORT=51820 -WIREGUARD_PUBLIC_KEY= -WIREGUARD_PRIVATE_KEY= -WIREGUARD_ADDRESS= \ No newline at end of file +WIREGUARD_PUBLIC_KEY=changeme +WIREGUARD_PRIVATE_KEY=changeme +WIREGUARD_ADDRESS=changeme # Wireguard LAN address \ No newline at end of file diff --git a/.gitignore b/.gitignore index 5657fae..369245a 100644 --- a/.gitignore +++ b/.gitignore @@ -13,4 +13,6 @@ samples/custom*/*.yaml config.yaml services/custom/*.yaml services/custom/*.yml -services/generated/*.yaml \ No newline at end of file +services/generated/*.yaml + +authelia/* \ No newline at end of file diff --git a/README.md b/README.md index 4f82ec3..1c2fbc6 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,8 @@ Version 2 is released, please make sure you read [this V2 Migration Guide](doc/U | Bazarr | bazarr.yourdomain.com | [linuxserver/bazarr](https://hub.docker.com/r/linuxserver/bazarr) | *latest* | Subtitles monitor | | Lidarr | lidarr.yourdomain.com | [linuxserver/lidarr](https://hub.docker.com/r/linuxserver/lidarr) | *develop* | Music monitor | | Readarr | readarr.yourdomain.com | [linuxserver/readarr](https://hub.docker.com/r/linuxserver/readarr) | *nightly* | Ebook and comic monitor | +| Calibre | calibre-admin.yourdomain.com | [linuxserver/calibre](https://hub.docker.com/r/linuxserver/calibre) | *latest* | eBook management | +| Calibre-web | calibre.yourdomain.com | [linuxserver/calibre-web](https://hub.docker.com/r/linuxserver/calibre-web) | *nightly* | Book management UI | | Komga | komga.yourdomain.com | [gotson/komga](https://hub.docker.com/r/gotson/komga) | *latest* | Comic Book Manager | | Kavita | Kavita.yourdomain.com | [gotson/komga](https://hub.docker.com/r/gotson/komga) | *latest* | Comic Book Manager | | Ombi | ombi.yourdomain.com | [linuxserver/ombi](https://hub.docker.com/r/linuxserver/ombi) | *latest* | Plex content requests | @@ -75,7 +77,7 @@ Check the [Configuration Guide](doc/configuration.md). ### Dependencies - [Docker](https://github.com/docker/docker) >= 20.10 -- [Docker Compose](https://github.com/docker/compose) >= 2.2 +- [Docker Compose](https://github.com/docker/compose) >= 2.2 *(2.16+ recommended)* - [local-persist Docker plugin](https://github.com/MatchbookLab/local-persist): installed directly on host (not in container). This is a volume plugin that extends the default local driver’s functionality by allowing you specify a mountpoint anywhere on the host, which enables the files to always persist, even if the volume is removed via `docker volume rm`. Use *systemd* install for Ubuntu. - [jq](https://stedolan.github.io/jq/download/) >= 1.5 - [yq](https://github.com/mikefarah/yq/releases) >= 4 @@ -115,3 +117,8 @@ All data is saved in the docker volumes `seedbox_config` or `seedbox_torrents`. These volumes are mapped to the `config` and `torrents` folders located in `/data` on the host. You can change these static paths in the docker-compose.yml file. Thanks to the **local-persist** Docker plugin, the data located in these volumes is persistent, meaning that volumes are not deleted, even when using the ```docker-compose down``` command. It would be a shame to loose everything by running a simple docker command ;-) + +# Configure your apps + +- Some indications here (more to come): [Apps Configuration](doc/configuration.md#apps-configuration) +- [TRaSH Guides](https://trash-guides.info/) \ No newline at end of file diff --git a/config.sample.yaml b/config.sample.yaml index 9eb973b..3b465e6 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -111,6 +111,24 @@ services: - host: readarr.${TRAEFIK_DOMAIN} httpAuth: true internalPort: 8787 + - name: calibre + enabled: false + vpn: false + traefik: + enabled: true + rules: + - host: calibre-admin.${TRAEFIK_DOMAIN} + httpAuth: true + internalPort: 8080 + - name: calibre-web + enabled: false + vpn: false + traefik: + enabled: true + rules: + - host: calibre.${TRAEFIK_DOMAIN} + httpAuth: true + internalPort: 8083 - name: komga enabled: false vpn: false @@ -192,7 +210,7 @@ services: rules: - host: portainer.${TRAEFIK_DOMAIN} httpAuth: false - internalPort: 9443 + internalPort: 9000 - name: netdata enabled: true vpn: false diff --git a/doc/apps/deluge-flood.md b/doc/apps/deluge-flood.md new file mode 100644 index 0000000..09304bf --- /dev/null +++ b/doc/apps/deluge-flood.md @@ -0,0 +1,15 @@ +# Deluge + Flood configuration + +Here is the recommended configuration for Deluge to work with Flood: + +- In your ``.env`` configuration file, check that both ``FLOOD_PASSWORD`` and ``FLOOD_AUTOCREATE_USER_IN_DELUGE_DAEMON`` variables are set and that ``FLOOD_AUTOCREATE_USER_IN_DELUGE_DAEMON`` is ``true``. +- Check in your ``config.yaml`` that both ``Deluge`` and ``Flood`` are enabled. +- Run the stack: ``./run-seedbox.sh`` +- Wait for services to be up and running. +- Go to Deluge UI (by default ``deluge.yourdomain.com``). +- Open Preferences +- In the "Daemon" menu, select "Allow remote connections". + +![Deluge Daemon Config](img/deluge-remote-connections.png) + +- Save changes and restart Flood: ``docker restart flood`` (if necessary). diff --git a/doc/apps/img/deluge-remote-connections.png b/doc/apps/img/deluge-remote-connections.png new file mode 100644 index 0000000..f2fd6b9 Binary files /dev/null and b/doc/apps/img/deluge-remote-connections.png differ diff --git a/doc/configuration.md b/doc/configuration.md index b90d90e..278f515 100644 --- a/doc/configuration.md +++ b/doc/configuration.md @@ -12,9 +12,10 @@ * [VPN](#vpn) * [Default mode - Wireguard custom](#default-mode---wireguard-custom) * [Your own mode (VPN provider supported by gluetun)](#your-own-mode-vpn-provider-supported-by-gluetun) - * [How does VPN is handled?](#how-does-vpn-is-handled) + * [How is VPN handled?](#how-is-vpn-handled) * [Make the services communicate with each other](#make-the-services-communicate-with-each-other) * [How does the configuration work?](#how-does-the-configuration-work) +* [Apps configuration](#apps-configuration) ## General principles @@ -249,7 +250,7 @@ By default, the file used is [gluetun.yaml](../services/gluetun.yaml), which is * Run ``./run-seedbox.sh``. * The service now uses your VPN by tunneling via gluetun container. If gluetun is down or if the VPN link is broken, your service won't have any access to Internet. -### How does VPN is handled? +### How is VPN handled? Behind the scenes, the ``run-seedbox.sh`` script will mainly add 2 overrides when enabling VPN on a service: @@ -315,4 +316,12 @@ http: - url: "https://nextcloud:443" ``` -This file will be automatically placed in [traefik/custom/](../traefik/custom/) directory (mounted by Traefik container) so the config will dynamically apply. This file is updated on each ``run-seedbox.sh`` execution. \ No newline at end of file +This file will be automatically placed in [traefik/custom/](../traefik/custom/) directory (mounted by Traefik container) so the config will dynamically apply. This file is updated on each ``run-seedbox.sh`` execution. + +# Apps configuration + +List of currently available documentation for apps: + +- [Deluge + Flood](apps/deluge-flood.md) + +I also strongly recommend [TRaSH Guides](https://trash-guides.info/) to have a better overview of all *arrs apps configurations. \ No newline at end of file diff --git a/run-seedbox.sh b/run-seedbox.sh index bddd2e4..96bb827 100755 --- a/run-seedbox.sh +++ b/run-seedbox.sh @@ -57,6 +57,7 @@ export COMPOSE_HTTP_TIMEOUT=240 [[ -z $HOST_CONFIG_PATH ]] && export HOST_CONFIG_PATH="/data/config" [[ -z $HOST_MEDIA_PATH ]] && export HOST_MEDIA_PATH="/data/torrents" [[ -z $DOWNLOAD_SUBFOLDER ]] && export DOWNLOAD_SUBFOLDER="deluge" +[[ -z $DOCKER_COMPOSE_BINARY ]] && export DOCKER_COMPOSE_BINARY="docker-compose" if [[ ! -f config.yaml ]]; then echo "[$0] No config.yaml file found. Copying from sample file..." @@ -119,6 +120,15 @@ if [[ $(cat config.json | jq '[.services[] | select(.name=="flood" and .enabled= fi fi +# Check that if calibre-web is enabled, calibre should also be enabled +if [[ $(cat config.json | jq '[.services[] | select(.name=="calibre-web" and .enabled==true)] | length') -eq 1 ]]; then + if [[ $(cat config.json | jq '[.services[] | select(.name=="calibre" and .enabled==false)] | length') -eq 1 ]]; then + echo "[$0] ERROR. Calibre-web is enabled but Calibre is not. Please either enable Calibre or disable Calibre-web as Calibre-web depends on Calibre." + echo "[$0] ******* Exiting *******" + exit 1 + fi +fi + # Apply other arbitrary custom Traefik config files rm -f $f traefik/custom/custom-* for f in `find samples/custom-traefik -maxdepth 1 -mindepth 1 -type f | grep -E "\.yml$|\.yaml$" | sort`; do @@ -271,11 +281,11 @@ echo "[$0] ***** Config OK. Launching services... *****" if [[ "${SKIP_PULL}" != "1" ]]; then echo "[$0] ***** Pulling all images... *****" - docker-compose ${ALL_SERVICES} pull + ${DOCKER_COMPOSE_BINARY} ${ALL_SERVICES} pull fi echo "[$0] ***** Recreating containers if required... *****" -docker-compose ${ALL_SERVICES} up -d --remove-orphans +${DOCKER_COMPOSE_BINARY} ${ALL_SERVICES} up -d --remove-orphans echo "[$0] ***** Done updating containers *****" echo "[$0] ***** Clean unused images and volumes... *****" diff --git a/services/calibre-web.yaml b/services/calibre-web.yaml new file mode 100644 index 0000000..ca24149 --- /dev/null +++ b/services/calibre-web.yaml @@ -0,0 +1,14 @@ +services: + calibre-web: + image: ghcr.io/linuxserver/calibre-web:nightly + container_name: calibre-web + restart: always + environment: + - PGID=${PGID} + - PUID=${PUID} + - TZ=${TZ} + - DOCKER_MODS=linuxserver/mods:universal-calibre + - OAUTHLIB_RELAX_TOKEN_SCOPE=1 + volumes: + - configcalibre:/config + - torrents:/torrents \ No newline at end of file diff --git a/services/calibre.yaml b/services/calibre.yaml new file mode 100644 index 0000000..eb215ca --- /dev/null +++ b/services/calibre.yaml @@ -0,0 +1,20 @@ +services: + calibre: + image: ghcr.io/linuxserver/calibre + container_name: calibre + restart: always + environment: + - PGID=${PGID} + - PUID=${PUID} + - TZ=${TZ} + - PASSWORD=${CALIBRE_PASSWORD} + - CLI_ARGS= + volumes: + - configcalibre:/config + - torrents:/torrents + +volumes: + configcalibre: + driver: local-persist + driver_opts: + mountpoint: $HOST_CONFIG_PATH/calibre \ No newline at end of file diff --git a/services/gluetun.yaml b/services/gluetun.yaml index ab02491..45981ce 100755 --- a/services/gluetun.yaml +++ b/services/gluetun.yaml @@ -7,7 +7,7 @@ services: - NET_ADMIN environment: - PUID=${PUID} - - PGIDq=${PGID} + - PGID=${PGID} - TZ=${TZ} - VPNSP=custom - VPN_TYPE=wireguard diff --git a/services/plex-hardware-transcoding.yaml b/services/plex-hardware-transcoding.yaml index 7d8b671..5b0ddd5 100755 --- a/services/plex-hardware-transcoding.yaml +++ b/services/plex-hardware-transcoding.yaml @@ -3,11 +3,16 @@ services: image: ghcr.io/linuxserver/plex container_name: plex restart: always + network_mode: host ports: - "32400:32400" - "32400:32400/udp" - "32469:32469" - "32469:32469/udp" + - "32410:32410/udp" + - "32412:32412/udp" + - "32413:32413/udp" + - "32414:32414/udp" devices: - /dev/dri:/dev/dri # for hardware transcoding volumes: diff --git a/services/plex.yaml b/services/plex.yaml index bd66677..c78134e 100755 --- a/services/plex.yaml +++ b/services/plex.yaml @@ -3,11 +3,16 @@ services: image: ghcr.io/linuxserver/plex container_name: plex restart: always + network_mode: host ports: - "32400:32400" - "32400:32400/udp" - "32469:32469" - "32469:32469/udp" + - "32410:32410/udp" + - "32412:32412/udp" + - "32413:32413/udp" + - "32414:32414/udp" volumes: - configplex:/config - torrents:/torrents diff --git a/services/traefik.yaml b/services/traefik.yaml index b454ec1..f620e0e 100755 --- a/services/traefik.yaml +++ b/services/traefik.yaml @@ -3,9 +3,8 @@ services: image: traefik container_name: traefik restart: always - command: + command: - --certificatesresolvers.le.acme.email=${ACME_MAIL} - - --pilot.token=${PILOT_TOKEN} ports: - "80:80" - "443:443" @@ -21,4 +20,4 @@ volumes: configtraefik: driver: local-persist driver_opts: - mountpoint: $HOST_CONFIG_PATH/traefik \ No newline at end of file + mountpoint: $HOST_CONFIG_PATH/traefik diff --git a/traefik/custom/middlewares.yaml b/traefik/custom/middlewares.yaml index e0d2a75..6b948ee 100644 --- a/traefik/custom/middlewares.yaml +++ b/traefik/custom/middlewares.yaml @@ -1,8 +1,6 @@ http: middlewares: - common-auth: - basicAuth: - usersFile: "/etc/traefik/http_auth" + # Middleware applied globally at the entrypoint level (applied to all routers using "secure" entrypoint) security-headers: headers: forceSTSHeader: true @@ -15,6 +13,18 @@ http: frameDeny: true contentTypeNosniff: true browserXssFilter: true + + customresponseheaders: + X-Frame-Options: sameorigin + Content-Security-Policy: frame-ancestors https://*.{{ env "TRAEFIK_DOMAIN" }} + customrequestheaders: + X-Frame-Options: sameorigin + Content-Security-Policy: frame-ancestors https://*.{{ env "TRAEFIK_DOMAIN" }} + + # Middlewares which are used automatically by the run-seedbox.sh script according to the parameters applied + common-auth: + basicAuth: + usersFile: "/etc/traefik/http_auth" redirect-to-https: redirectScheme: scheme: https