Merge pull request #40 from jfroment/dev

v2.1 - The Pearl ⚪

.env.sample

@@ -1,16 +1,19 @@
 # Internal settings (they will not be passed to running services)
 CHECK_FOR_OUTDATED_CONFIG=true
 
+DOCKER_COMPOSE_BINARY="docker compose" # or "docker-compose"
+
 # General Traefik (reverse proxy) settings
 TRAEFIK_DOMAIN=mydomain.com
 ACME_MAIL=my-email@my-provider.com
-PILOT_TOKEN=mytraefiktoken # Keep it empty if not needed
 
 # General settings
 TZ="Europe/Paris"
 
 # HTTP Auth
 HTTP_USER=myuser
+# Use this command to generate your password: 
+# docker run -it --rm --entrypoint htpasswd ubuntu/apache2 -nb your_user your_password | cut -d ":" -f 2
 HTTP_PASSWORD='mypassword_encoded' # Keep these simple quotes!
 
 # Host paths + containers permissions mapping
@@ -22,25 +25,29 @@ PGID=1000
 PUID=1000
 
 # Database (for Nextcloud)
-MYSQL_ROOT_PASSWORD=h4ckMePleAse889912101
+MYSQL_ROOT_PASSWORD=changeme
 MYSQL_DATABASE=nextcloud
 MYSQL_USER=nextcloud
-MYSQL_PASSWORD=h4ckMePleAse4256718
+MYSQL_PASSWORD=changeme
 
 # Nextcloud
-NEXTCLOUD_ADMIN_USER=admin
-NEXTCLOUD_ADMIN_PASSWORD=h4ckMePleAse873214668
+NEXTCLOUD_ADMIN_USER=admin # you can change it
+NEXTCLOUD_ADMIN_PASSWORD=changeme
 
 # Portainer
-PORTAINER_ADMIN_PASSWORD=h4ckMePleAse
+# Please ensure you encrypt your password first using this command:
+# docker run -it --rm --entrypoint htpasswd ubuntu/apache2 -nbB admin your_password | cut -d ":" -f 2 | sed -e s/\\$/\\$\\$/g
+PORTAINER_ADMIN_PASSWORD=changeme
 
-# Flood username declared in  deluge rpc daemon
-FLOOD_PASSWORD=myfloodpassword
+# Flood username declared in  deluge RPC daemon
+FLOOD_PASSWORD=changeme # Flood Password for Deluge RPC daemon
 FLOOD_AUTOCREATE_USER_IN_DELUGE_DAEMON=false
 
+CALIBRE_PASSWORD=mycalibrepassword
+
 # Wireguard custom endpoint
-WIREGUARD_ENDPOINT=<ENDPOINT>
+WIREGUARD_ENDPOINT=changeme # Wireguard endpoint
 WIREGUARD_PORT=51820
-WIREGUARD_PUBLIC_KEY=<WIREGUARD_PUBLIC_KEY>
-WIREGUARD_PRIVATE_KEY=<WIREGUARD_PRIVATE_KEY>
-WIREGUARD_ADDRESS=<WIREGUARD_LAN_ADDRESS>
+WIREGUARD_PUBLIC_KEY=changeme
+WIREGUARD_PRIVATE_KEY=changeme
+WIREGUARD_ADDRESS=changeme # Wireguard LAN address

.gitignore

@@ -13,4 +13,6 @@ samples/custom*/*.yaml
 config.yaml
 services/custom/*.yaml
 services/custom/*.yml
-services/generated/*.yaml
+services/generated/*.yaml
+
+authelia/*

README.md

@@ -39,6 +39,8 @@ Version 2 is released, please make sure you read [this V2 Migration Guide](doc/U
 | Bazarr               | bazarr.yourdomain.com      | [linuxserver/bazarr](https://hub.docker.com/r/linuxserver/bazarr)      | *latest*                | Subtitles monitor   |
 | Lidarr               | lidarr.yourdomain.com      | [linuxserver/lidarr](https://hub.docker.com/r/linuxserver/lidarr)      | *develop*               | Music monitor       |
 | Readarr               | readarr.yourdomain.com      | [linuxserver/readarr](https://hub.docker.com/r/linuxserver/readarr)      | *nightly*               | Ebook and comic monitor       |
+| Calibre | calibre-admin.yourdomain.com | [linuxserver/calibre](https://hub.docker.com/r/linuxserver/calibre)  | *latest* | eBook management |
+| Calibre-web | calibre.yourdomain.com | [linuxserver/calibre-web](https://hub.docker.com/r/linuxserver/calibre-web)  | *nightly* | Book management UI |
 | Komga               | komga.yourdomain.com      | [gotson/komga](https://hub.docker.com/r/gotson/komga)      | *latest*               | Comic Book Manager       |
 | Kavita               | Kavita.yourdomain.com      | [gotson/komga](https://hub.docker.com/r/gotson/komga)      | *latest*               | Comic Book Manager       |
 | Ombi               | ombi.yourdomain.com      | [linuxserver/ombi](https://hub.docker.com/r/linuxserver/ombi)      | *latest*               | Plex content requests       |
@@ -75,7 +77,7 @@ Check the [Configuration Guide](doc/configuration.md).
 ### Dependencies
 
 - [Docker](https://github.com/docker/docker) >= 20.10
-- [Docker Compose](https://github.com/docker/compose) >= 2.2
+- [Docker Compose](https://github.com/docker/compose) >= 2.2 *(2.16+ recommended)*
 - [local-persist Docker plugin](https://github.com/MatchbookLab/local-persist): installed directly on host (not in container). This is a volume plugin that extends the default local driver’s functionality by allowing you specify a mountpoint anywhere on the host, which enables the files to always persist, even if the volume is removed via `docker volume rm`. Use *systemd* install for Ubuntu.
 - [jq](https://stedolan.github.io/jq/download/) >= 1.5
 - [yq](https://github.com/mikefarah/yq/releases) >= 4
@@ -115,3 +117,8 @@ All data is saved in the docker volumes `seedbox_config` or
 `seedbox_torrents`.
 These volumes are mapped to the `config` and `torrents` folders located in `/data` on the host. You can change these static paths in the docker-compose.yml file.
 Thanks to the **local-persist** Docker plugin, the data located in these volumes is persistent, meaning that volumes are not deleted, even when using the ```docker-compose down``` command. It would be a shame to loose everything by running a simple docker command ;-)
+
+# Configure your apps
+
+- Some indications here (more to come): [Apps Configuration](doc/configuration.md#apps-configuration)
+- [TRaSH Guides](https://trash-guides.info/)

config.sample.yaml

@@ -111,6 +111,24 @@ services:
         - host: readarr.${TRAEFIK_DOMAIN}
           httpAuth: true
           internalPort: 8787
+  - name: calibre
+    enabled: false
+    vpn: false
+    traefik:
+      enabled: true
+      rules:
+        - host: calibre-admin.${TRAEFIK_DOMAIN}
+          httpAuth: true
+          internalPort: 8080
+  - name: calibre-web
+    enabled: false
+    vpn: false
+    traefik:
+      enabled: true
+      rules:
+        - host: calibre.${TRAEFIK_DOMAIN}
+          httpAuth: true
+          internalPort: 8083
   - name: komga
     enabled: false
     vpn: false
@@ -192,7 +210,7 @@ services:
       rules:
         - host: portainer.${TRAEFIK_DOMAIN}
           httpAuth: false
-          internalPort: 9443
+          internalPort: 9000
   - name: netdata
     enabled: true
     vpn: false

doc/apps/deluge-flood.md

@@ -0,0 +1,15 @@
+# Deluge + Flood configuration
+
+Here is the recommended configuration for Deluge to work with Flood:
+
+- In your ``.env`` configuration file, check that both ``FLOOD_PASSWORD`` and ``FLOOD_AUTOCREATE_USER_IN_DELUGE_DAEMON`` variables are set and that ``FLOOD_AUTOCREATE_USER_IN_DELUGE_DAEMON`` is ``true``.
+- Check in your ``config.yaml`` that both ``Deluge`` and ``Flood`` are enabled.
+- Run the stack: ``./run-seedbox.sh``
+- Wait for services to be up and running.
+- Go to Deluge UI (by default ``deluge.yourdomain.com``).
+- Open Preferences
+- In the "Daemon" menu, select "Allow remote connections".
+
+![Deluge Daemon Config](img/deluge-remote-connections.png)
+
+- Save changes and restart Flood: ``docker restart flood`` (if necessary).

doc/configuration.md

@@ -12,9 +12,10 @@
 * [VPN](#vpn)
   * [Default mode - Wireguard custom](#default-mode---wireguard-custom)
   * [Your own mode (VPN provider supported by gluetun)](#your-own-mode-vpn-provider-supported-by-gluetun)
-  * [How does VPN is handled?](#how-does-vpn-is-handled)
+  * [How is VPN handled?](#how-is-vpn-handled)
 * [Make the services communicate with each other](#make-the-services-communicate-with-each-other)
 * [How does the configuration work?](#how-does-the-configuration-work)
+* [Apps configuration](#apps-configuration)
 
 ## General principles
 
@@ -249,7 +250,7 @@ By default, the file used is [gluetun.yaml](../services/gluetun.yaml), which is
 * Run ``./run-seedbox.sh``.
 * The service now uses your VPN by tunneling via gluetun container. If gluetun is down or if the VPN link is broken, your service won't have any access to Internet.
 
-### How does VPN is handled?
+### How is VPN handled?
 
 Behind the scenes, the ``run-seedbox.sh`` script will mainly add 2 overrides when enabling VPN on a service:
 
@@ -315,4 +316,12 @@ http:
           - url: "https://nextcloud:443"
 ```
 
-This file will be automatically placed in [traefik/custom/](../traefik/custom/) directory (mounted by Traefik container) so the config will dynamically apply. This file is updated on each ``run-seedbox.sh`` execution.
+This file will be automatically placed in [traefik/custom/](../traefik/custom/) directory (mounted by Traefik container) so the config will dynamically apply. This file is updated on each ``run-seedbox.sh`` execution.
+
+# Apps configuration
+
+List of currently available documentation for apps:
+
+- [Deluge + Flood](apps/deluge-flood.md)
+
+I also strongly recommend [TRaSH Guides](https://trash-guides.info/) to have a better overview of all *arrs apps configurations.

run-seedbox.sh

@@ -57,6 +57,7 @@ export COMPOSE_HTTP_TIMEOUT=240
 [[ -z $HOST_CONFIG_PATH ]] && export HOST_CONFIG_PATH="/data/config"
 [[ -z $HOST_MEDIA_PATH ]] && export HOST_MEDIA_PATH="/data/torrents"
 [[ -z $DOWNLOAD_SUBFOLDER ]] && export DOWNLOAD_SUBFOLDER="deluge"
+[[ -z $DOCKER_COMPOSE_BINARY ]] && export DOCKER_COMPOSE_BINARY="docker-compose"
 
 if [[ ! -f config.yaml ]]; then
   echo "[$0] No config.yaml file found. Copying from sample file..."
@@ -119,6 +120,15 @@ if [[ $(cat config.json | jq '[.services[] | select(.name=="flood" and .enabled=
   fi
 fi
 
+# Check that if calibre-web is enabled, calibre should also be enabled
+if [[ $(cat config.json | jq '[.services[] | select(.name=="calibre-web" and .enabled==true)] | length') -eq 1 ]]; then
+  if [[ $(cat config.json | jq '[.services[] | select(.name=="calibre" and .enabled==false)] | length') -eq 1 ]]; then
+    echo "[$0] ERROR. Calibre-web is enabled but Calibre is not. Please either enable Calibre or disable Calibre-web as Calibre-web depends on Calibre."
+    echo "[$0] ******* Exiting *******"
+    exit 1
+  fi
+fi
+
 # Apply other arbitrary custom Traefik config files
 rm -f $f traefik/custom/custom-*
 for f in `find samples/custom-traefik -maxdepth 1 -mindepth 1 -type f | grep -E "\.yml$|\.yaml$" | sort`; do
@@ -271,11 +281,11 @@ echo "[$0] ***** Config OK. Launching services... *****"
 
 if [[ "${SKIP_PULL}" != "1" ]]; then
   echo "[$0] ***** Pulling all images... *****"
-  docker-compose ${ALL_SERVICES} pull
+  ${DOCKER_COMPOSE_BINARY} ${ALL_SERVICES} pull
 fi
 
 echo "[$0] ***** Recreating containers if required... *****"
-docker-compose ${ALL_SERVICES} up -d --remove-orphans
+${DOCKER_COMPOSE_BINARY} ${ALL_SERVICES} up -d --remove-orphans
 echo "[$0] ***** Done updating containers *****"
 
 echo "[$0] ***** Clean unused images and volumes... *****"

services/calibre-web.yaml

@@ -0,0 +1,14 @@
+services:
+  calibre-web:
+    image: ghcr.io/linuxserver/calibre-web:nightly
+    container_name: calibre-web
+    restart: always
+    environment:
+      - PGID=${PGID}
+      - PUID=${PUID}
+      - TZ=${TZ}
+      - DOCKER_MODS=linuxserver/mods:universal-calibre
+      - OAUTHLIB_RELAX_TOKEN_SCOPE=1
+    volumes:
+      - configcalibre:/config
+      - torrents:/torrents

services/calibre.yaml

@@ -0,0 +1,20 @@
+services:
+  calibre:
+    image: ghcr.io/linuxserver/calibre
+    container_name: calibre
+    restart: always
+    environment:
+      - PGID=${PGID}
+      - PUID=${PUID}
+      - TZ=${TZ}
+      - PASSWORD=${CALIBRE_PASSWORD}
+      - CLI_ARGS=
+    volumes:
+      - configcalibre:/config
+      - torrents:/torrents
+
+volumes:
+  configcalibre: 
+    driver: local-persist
+    driver_opts:
+      mountpoint: $HOST_CONFIG_PATH/calibre

services/gluetun.yaml

@@ -7,7 +7,7 @@ services:
       - NET_ADMIN
     environment:
       - PUID=${PUID}
-      - PGIDq=${PGID}
+      - PGID=${PGID}
       - TZ=${TZ}
       - VPNSP=custom
       - VPN_TYPE=wireguard

services/plex-hardware-transcoding.yaml

@@ -3,11 +3,16 @@ services:
     image: ghcr.io/linuxserver/plex
     container_name: plex
     restart: always
+    network_mode: host
     ports:
       - "32400:32400"
       - "32400:32400/udp"
       - "32469:32469"
       - "32469:32469/udp"
+      - "32410:32410/udp"
+      - "32412:32412/udp"
+      - "32413:32413/udp"
+      - "32414:32414/udp"
     devices:
       - /dev/dri:/dev/dri # for hardware transcoding
     volumes:

services/plex.yaml

@@ -3,11 +3,16 @@ services:
     image: ghcr.io/linuxserver/plex
     container_name: plex
     restart: always
+    network_mode: host
     ports:
       - "32400:32400"
       - "32400:32400/udp"
       - "32469:32469"
       - "32469:32469/udp"
+      - "32410:32410/udp"
+      - "32412:32412/udp"
+      - "32413:32413/udp"
+      - "32414:32414/udp"
     volumes:
       - configplex:/config
       - torrents:/torrents

services/traefik.yaml

@@ -3,9 +3,8 @@ services:
     image: traefik
     container_name: traefik
     restart: always
-    command: 
+    command:
       - --certificatesresolvers.le.acme.email=${ACME_MAIL}
-      - --pilot.token=${PILOT_TOKEN}
     ports:
       - "80:80"
       - "443:443"
@@ -21,4 +20,4 @@ volumes:
   configtraefik:
     driver: local-persist
     driver_opts:
-      mountpoint: $HOST_CONFIG_PATH/traefik
+      mountpoint: $HOST_CONFIG_PATH/traefik

traefik/custom/middlewares.yaml

@@ -1,8 +1,6 @@
 http:
   middlewares:
-    common-auth:
-      basicAuth:
-        usersFile: "/etc/traefik/http_auth"
+    # Middleware applied globally at the entrypoint level (applied to all routers using "secure" entrypoint)
     security-headers:
       headers:
         forceSTSHeader: true
@@ -15,6 +13,18 @@ http:
         frameDeny: true
         contentTypeNosniff: true
         browserXssFilter: true
+
+        customresponseheaders:
+          X-Frame-Options: sameorigin
+          Content-Security-Policy: frame-ancestors https://*.{{ env "TRAEFIK_DOMAIN" }}
+        customrequestheaders:
+          X-Frame-Options: sameorigin
+          Content-Security-Policy: frame-ancestors https://*.{{ env "TRAEFIK_DOMAIN" }}
+
+    # Middlewares which are used automatically by the run-seedbox.sh script according to the parameters applied
+    common-auth:
+      basicAuth:
+        usersFile: "/etc/traefik/http_auth"
     redirect-to-https:
       redirectScheme:
         scheme: https