After Dogfooding it, Pt 6

configs/config.production.json

@@ -0,0 +1,32 @@
+{
+  "url": "https://homelab.turriff.net",
+  "server": {
+    "port": 2368,
+    "host": "0.0.0.0"
+  },
+  "database": {
+    "client": "mysql",
+    "connection": {
+      "host": "percona",
+      "user": "ghost",
+      "password": "\\ak=:YncQ<m&4T79ktl(4mZ{",
+      "database": "ghost"
+    }
+  },
+  "mail": {
+    "transport": "smtp",
+    "options": {
+      "host": "munin.turriff.net"
+    }
+  },
+  "logging": {
+    "transports": [
+      "file",
+      "stdout"
+    ]
+  },
+  "process": "systemd",
+  "paths": {
+    "contentPath": "/var/lib/ghost/content"
+  }
+}

configs/traefik.toml

@@ -0,0 +1,56 @@
+[global]
+checkNewVersion = true
+sendAnonymousUsage = false
+
+[entryPoints.web]
+address = ":10080" 
+
+[entryPoints.web.http.redirections.entryPoint]
+to = ":443"
+scheme = "https"
+
+[entryPoints.websecure]
+address = ":10443"
+
+[entryPoints.websecure.http3]
+advertisedPort = 443
+
+[entryPoints.websecure.http.tls]
+options = "tls-opts@file"
+certResolver = "le"
+
+[certificatesResolvers.le.acme]
+email = "asturriff@gmail.com"
+storage = "/acme/acme.json"
+caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
+tlsChallenge = true
+preferredChain = "ISRG Root X2"
+keyType = "EC384"
+
+[log]
+level = "INFO"
+filePath = "/logs/traefik.log"
+
+[accesssLog]
+filePath = "/logs/access.log"
+
+[accessLog.filters]
+statusCodes = [ "204-299","400-499","500-599" ]
+
+[api]
+dashboard = true
+
+[ping]
+entryPoint = "traefik"
+
+[providers.swarm]
+endpoint = "unix:///run/docker.sock"
+exposedByDefault = false
+network = "homelab_homelab"
+
+[providers.file]
+directory = "/rules"
+watch = true
+
+[entryPoints.ssh]
+address = ":10022"

docker-compose-homelab-combined.yaml

@@ -0,0 +1,187 @@
+networks:
+  homelab:
+    driver: overlay
+    ipam:
+      config:
+        - subnet: 10.64.0.0/16
+    internal: true
+  homelab-bridge:
+    driver: overlay
+    ipam:
+      config:
+        - subnet: 10.96.0.0/16
+
+secrets:
+  percona-root:
+    file: /home/andreas/secrets/percona-root
+  ghost:
+    file: /home/andreas/secrets/ghost
+  postgres-root:
+    file: /home/andreas/secrets/postgres-root
+  gitea:
+    file: /home/andreas/secrets/gitea
+
+configs:
+  ghost-config:
+    file: /home/andreas/configs/config.production.json
+  traefik-config:
+    file: /home/andreas/configs/traefik.toml
+services:
+  traefik:
+    configs:
+      - source: traefik-config
+        target: /etc/traefik/traefik.toml
+    deploy:
+      labels:
+        traefik.enable: "true"
+        traefik.http.routers.traefik-rtr.entrypoints: "websecure"
+        traefik.http.routers.traefik-rtr.middlewares: "traefik-allowlist@file"
+        traefik.http.routers.traefik-rtr.rule: "Host(`traefik.turriff.net`)"
+        traefik.http.routers.traefik-rtr.service: "api@internal"
+        traefik.http.services.dummy-svc.loadbalancer.server.port: "9999"
+      replicas: 1
+    healthcheck:
+      test: ["CMD","traefik","healthcheck"]
+      interval: 30s
+      timeout: 10s
+    image: "traefik:3.0"
+    logging:
+      driver: journald
+    networks:
+      - homelab
+      - homelab-bridge
+    ports:
+      - "80:10080"
+      - "443:10443"
+      - "10022:10022"
+    restart: on-failure
+    volumes:
+      - "/srv/data/docker/traefik/rules:/rules:ro"
+      - "/srv/data/docker/traefik/acme:/acme:rw"
+      - "/srv/data/docker/traefik/logs:/logs:rw"
+      - "/run/docker.sock:/run/docker.sock:ro"
+  percona:
+    deploy:
+      replicas: 1
+    environment:
+      MYSQL_ROOT_PASSWORD_FILE: "/run/secrets/percona-root"
+      PERCONA_TELEMETRY_DISABLE: 1
+    image: "percona:ps-8"
+    logging:
+      driver: journald
+    networks:
+      - homelab
+    restart: on-failure
+    secrets:
+      - percona-root
+      - ghost
+    volumes:
+      - "/srv/data/docker/percona/data:/var/lib/mysql:rw"
+  ghost:
+    configs:
+      - source: ghost-config
+        target: /var/lib/ghost/config.production.json
+    deploy:
+      replicas: 1
+      labels:
+        traefik.enable: "true"
+        traefik.http.routers.ghost-rtr.entrypoints: "websecure"
+        traefik.http.routers.ghost-rtr.rule: "Host(`ghost.turriff.net`)"
+        traefik.http.routers.ghost-rtr.service: "ghost"
+        traefik.http.services.ghost.loadbalancer.server.port: "2368"
+    image: "ghost:5"
+    logging:
+      driver: journald
+    networks:
+      - homelab
+    restart: on-failure
+    volumes:
+      - "/srv/data/docker/ghost/data:/var/lib/ghost/content:rw"
+  navidrome:
+    deploy:
+      replicas: 1
+    environment:
+      ND_BASEURL: "https://media.turriff.net"
+      ND_ENABLE_EXTERNAL_SERVICES: "false"
+    image: "deluan/navidrome:latest"
+    labels:
+      traefik.enable: "true"
+      traefik.http.routers.navidrome-rtr.entrypoint: websecure
+      traefik.http.routers.navidrome-rtr.rule: "Host(`media.turriff.net`)"
+      traefik.http.routers.navidrome-rtr.service: "navidrome"
+      traefix.http.services.navidrome.loadbalancer.server.port: "4533"
+    logging:
+      driver: journald
+    networks:
+      - homelab
+    restart: unless-stopped 
+    user: "10002:10002"
+    volumes:
+      - "/srv/data/docker/navidrome/data:/data"
+      - "/srv/data/shared/media/music:/music:ro"
+  postgres:
+    deploy:
+      replicas: 1
+    environment:
+      POSTGRES_PASSWORD_FILE: "/run/secrets/postgres-root"
+    hostname: "postgres"
+    image: "postgres:16"
+    logging:
+      driver: journald
+    networks:
+      - homelab
+    restart: on-failure
+    secrets:
+      - postgres-root
+      - gitea
+    shm_size: 128mb
+    user: "10003:10003"
+    volumes:
+      - "/srv/data/docker/postgres/data:/var/lib/postgresql/data:rw"
+      - type: tmpfs
+        target: "/var/run/postgresql"
+  gitea:
+    depends_on:
+      - postgres
+    deploy:
+      labels:
+        traefik.enable: "true"
+        traefik.http.routers.gitea-http-rtr.entrypoints: websecure
+        traefik.http.routers.gitea-http-rtr.rule: "Host(`gitea.turriff.net`)"
+        traefik.http.routers.gitea-http-rtr.service: "gitea"
+        traefik.http.services.gitea.loadbalancer.server.port: "3000"
+        traefik.tcp.routers.gitea-ssh-rtr.entrypoints: ssh
+        traefik.tcp.routers.gitea-ssh-rtr.rule: "Host(`gitea.turriff.net`)"
+        traefik.tcp.routers.gitea-ssh-rtr.service: "gitea-ssh"
+        traefik.tcp.services.gitea-ssh.loadbalancer.server.port: "2222"
+      replicas: 1
+    environment:
+      GITEA__database__DB_TYPE: "postgres"
+      GITEA__database__HOST: "postgres"
+      GITEA__database__NAME: "gitea"
+      GITEA__database__USER: "gitea"
+      GITEA__database__PASSWORD__FILE: "/run/secrets/gitea"
+      GITEA__mailer__ENABLED: "true"
+      GITEA__mailer__FROM: "gitea@turriff.net"
+      GITEA__mailer__PROTOCOL: "smtp+starttls"
+      GITEA__mailer__SMTP_ADDR: "munin.turriff.net"
+      GITEA__mailer__SMTP_PORT: "25"
+      GITEA__server__ROOT_URL: "https://gitea.turriff.net"
+      GITEA__cors__ENABLED: "true"
+      GITEA__cors__ALLOW_DOMAIN: "https://*.turriff.net"
+      GITEA__server__USE_PROXY_PROTOCOL: "true"
+      GITEA__server__DOMAIN: "gitea.turriff.net"
+      GITEA__server__SSH_SERVER_USE_PROXY_PROTOCOL: "true"
+    image: "gitea/gitea:1-rootless"
+    logging:
+      driver: journald
+    networks:
+      - homelab
+      - homelab-bridge
+    restart: on-failure
+    secrets:
+      - gitea
+    user: "10004:10004"
+    volumes:
+      - "/srv/data/docker/gitea/data:/var/lib/gitea:rw"
+      - "/srv/data/docker/gitea/config:/etc/gitea:rw"

docker-compose-homelab.yaml

@@ -0,0 +1,28 @@
+networks:
+  homelab:
+    driver: overlay
+    ipam:
+      config:
+        - subnet: 10.64.0.0/16
+    internal: true
+  homelab-bridge:
+    driver: overlay
+    ipam:
+      config:
+        - subnet: 10.96.0.0/16
+
+secrets:
+  percona-root:
+    file: /home/andreas/secrets/percona-root
+  ghost:
+    file: /home/andreas/secrets/ghost
+  postgres-root:
+    file: /home/andreas/secrets/postgres-root
+  gitea:
+    file: /home/andreas/secrets/gitea
+
+configs:
+  ghost-config:
+    file: /home/andreas/configs/config.production.json
+  traefik-config:
+    file: /home/andreas/configs/traefik.toml

ghost.yaml

@@ -0,0 +1,20 @@
+  ghost:
+    configs:
+      - source: ghost-config
+        target: /var/lib/ghost/config.production.json
+    deploy:
+      replicas: 1
+      labels:
+        traefik.enable: "true"
+        traefik.http.routers.ghost-rtr.entrypoints: "websecure"
+        traefik.http.routers.ghost-rtr.rule: "Host(`ghost.turriff.net`)"
+        traefik.http.routers.ghost-rtr.service: "ghost"
+        traefik.http.services.ghost.loadbalancer.server.port: "2368"
+    image: "ghost:5"
+    logging:
+      driver: journald
+    networks:
+      - homelab
+    restart: on-failure
+    volumes:
+      - "/srv/data/docker/ghost/data:/var/lib/ghost/content:rw"

gitea.yaml

@@ -0,0 +1,45 @@
+  gitea:
+    depends_on:
+      - postgres
+    deploy:
+      labels:
+        traefik.enable: "true"
+        traefik.http.routers.gitea-http-rtr.entrypoints: websecure
+        traefik.http.routers.gitea-http-rtr.rule: "Host(`gitea.turriff.net`)"
+        traefik.http.routers.gitea-http-rtr.service: "gitea"
+        traefik.http.services.gitea.loadbalancer.server.port: "3000"
+        traefik.tcp.routers.gitea-ssh-rtr.entrypoints: ssh
+        traefik.tcp.routers.gitea-ssh-rtr.rule: "Host(`gitea.turriff.net`)"
+        traefik.tcp.routers.gitea-ssh-rtr.service: "gitea-ssh"
+        traefik.tcp.services.gitea-ssh.loadbalancer.server.port: "2222"
+      replicas: 1
+    environment:
+      GITEA__database__DB_TYPE: "postgres"
+      GITEA__database__HOST: "postgres"
+      GITEA__database__NAME: "gitea"
+      GITEA__database__USER: "gitea"
+      GITEA__database__PASSWORD__FILE: "/run/secrets/gitea"
+      GITEA__mailer__ENABLED: "true"
+      GITEA__mailer__FROM: "gitea@turriff.net"
+      GITEA__mailer__PROTOCOL: "smtp+starttls"
+      GITEA__mailer__SMTP_ADDR: "munin.turriff.net"
+      GITEA__mailer__SMTP_PORT: "25"
+      GITEA__server__ROOT_URL: "https://gitea.turriff.net"
+      GITEA__cors__ENABLED: "true"
+      GITEA__cors__ALLOW_DOMAIN: "https://*.turriff.net"
+      GITEA__server__USE_PROXY_PROTOCOL: "true"
+      GITEA__server__DOMAIN: "gitea.turriff.net"
+      GITEA__server__SSH_SERVER_USE_PROXY_PROTOCOL: "true"
+    image: "gitea/gitea:1-rootless"
+    logging:
+      driver: journald
+    networks:
+      - homelab
+      - homelab-bridge
+    restart: on-failure
+    secrets:
+      - gitea
+    user: "10004:10004"
+    volumes:
+      - "/srv/data/docker/gitea/data:/var/lib/gitea:rw"
+      - "/srv/data/docker/gitea/config:/etc/gitea:rw"

navidrome.yaml

@@ -0,0 +1,22 @@
+  navidrome:
+    deploy:
+      replicas: 1
+    environment:
+      ND_BASEURL: "https://media.turriff.net"
+      ND_ENABLE_EXTERNAL_SERVICES: "false"
+    image: "deluan/navidrome:latest"
+    labels:
+      traefik.enable: "true"
+      traefik.http.routers.navidrome-rtr.entrypoint: websecure
+      traefik.http.routers.navidrome-rtr.rule: "Host(`media.turriff.net`)"
+      traefik.http.routers.navidrome-rtr.service: "navidrome"
+      traefix.http.services.navidrome.loadbalancer.server.port: "4533"
+    logging:
+      driver: journald
+    networks:
+      - homelab
+    restart: unless-stopped 
+    user: "10002:10002"
+    volumes:
+      - "/srv/data/docker/navidrome/data:/data"
+      - "/srv/data/shared/media/music:/music:ro"

percona.yaml

@@ -0,0 +1,17 @@
+  percona:
+    deploy:
+      replicas: 1
+    environment:
+      MYSQL_ROOT_PASSWORD_FILE: "/run/secrets/percona-root"
+      PERCONA_TELEMETRY_DISABLE: 1
+    image: "percona:ps-8"
+    logging:
+      driver: journald
+    networks:
+      - homelab
+    restart: on-failure
+    secrets:
+      - percona-root
+      - ghost
+    volumes:
+      - "/srv/data/docker/percona/data:/var/lib/mysql:rw"

postgres.yaml

@@ -0,0 +1,21 @@
+  postgres:
+    deploy:
+      replicas: 1
+    environment:
+      POSTGRES_PASSWORD_FILE: "/run/secrets/postgres-root"
+    hostname: "postgres"
+    image: "postgres:16"
+    logging:
+      driver: journald
+    networks:
+      - homelab
+    restart: on-failure
+    secrets:
+      - postgres-root
+      - gitea
+    shm_size: 128mb
+    user: "10003:10003"
+    volumes:
+      - "/srv/data/docker/postgres/data:/var/lib/postgresql/data:rw"
+      - type: tmpfs
+        target: "/var/run/postgresql"

traefik.yaml

@@ -0,0 +1,34 @@
+services:
+  traefik:
+    configs:
+      - source: traefik-config
+        target: /etc/traefik/traefik.toml
+    deploy:
+      labels:
+        traefik.enable: "true"
+        traefik.http.routers.traefik-rtr.entrypoints: "websecure"
+        traefik.http.routers.traefik-rtr.middlewares: "traefik-allowlist@file"
+        traefik.http.routers.traefik-rtr.rule: "Host(`traefik.turriff.net`)"
+        traefik.http.routers.traefik-rtr.service: "api@internal"
+        traefik.http.services.dummy-svc.loadbalancer.server.port: "9999"
+      replicas: 1
+    healthcheck:
+      test: ["CMD","traefik","healthcheck"]
+      interval: 30s
+      timeout: 10s
+    image: "traefik:3.0"
+    logging:
+      driver: journald
+    networks:
+      - homelab
+      - homelab-bridge
+    ports:
+      - "80:10080"
+      - "443:10443"
+      - "10022:10022"
+    restart: on-failure
+    volumes:
+      - "/srv/data/docker/traefik/rules:/rules:ro"
+      - "/srv/data/docker/traefik/acme:/acme:rw"
+      - "/srv/data/docker/traefik/logs:/logs:rw"
+      - "/run/docker.sock:/run/docker.sock:ro"