commit 818ba34135784e2b5172344f45ff493fa054e71c Author: Nicolas MASSE Date: Mon Jan 9 13:11:04 2023 +0100 initial commit diff --git a/nextcloud/nginx/nginx.conf b/nextcloud/nginx/nginx.conf new file mode 100644 index 0000000..1b9af82 --- /dev/null +++ b/nextcloud/nginx/nginx.conf @@ -0,0 +1,167 @@ +worker_processes auto; +error_log stderr warn; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + # Do not leak server version in HTTP headers + server_tokens off; + + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.16.0.0/12; + set_real_ip_from 192.168.0.0/16; + real_ip_header X-Real-IP; + + upstream php-handler { + server nextcloud:9000; + } + + server { + listen 8080; + + # HSTS settings + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Pagespeed is not supported by Nextcloud, so if your server is built + # with the `ngx_pagespeed` module, uncomment this line to disable it. + #pagespeed off; + + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/html; + + # Specify how to handle directories -- specifying `/index.php$request_uri` + # here as the fallback means that Nginx always exhibits the desired behaviour + # when a client requests a path that corresponds to a directory that exists + # on the server. In particular, if that directory contains an index.php file, + # that file is correctly served; if it doesn't, then the request is passed to + # the front-end controller. This consistent behaviour means that we don't need + # to specify custom rules for certain paths (e.g. images and other assets, + # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus + # `try_files $uri $uri/ /index.php$request_uri` + # always provides the desired behaviour. + index index.php index.html /index.php$request_uri; + + # Do not include the hostname and scheme in the redirect URL since it is + # always wrong in a Kubernetes environment (request received on HTTPS by Traefik + # and transmitted on HTTP internally). + absolute_redirect off; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location ^~ /.well-known { + # The following 6 rules are borrowed from `.htaccess` + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + # Anything else is dynamically handled by Nextcloud + location ^~ /.well-known { return 301 /index.php$uri; } + + try_files $uri $uri/ =404; + } + + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass php-handler; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ \.(?:css|js|svg|gif)$ { + try_files $uri /index.php$request_uri; + expires 6M; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } + } +} \ No newline at end of file diff --git a/nextcloud/podman-compose.yaml b/nextcloud/podman-compose.yaml new file mode 100644 index 0000000..0f21932 --- /dev/null +++ b/nextcloud/podman-compose.yaml @@ -0,0 +1,52 @@ +volumes: + db: + nextcloud: + +services: + db: + image: docker.io/library/mariadb:10.5 + expose: + - "3306" + restart: always + command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW + volumes: + - db:/var/lib/mysql + environment: + - MARIADB_ROOT_PASSWORD= + - MARIADB_PASSWORD= + - MARIADB_DATABASE=nextcloud + - MARIADB_USER=nextcloud + - MARIADB_PASSWORD=nextcloud + - MARIADB_ALLOW_EMPTY_ROOT_PASSWORD=true + + # URL: http://localhost:8080/apps/dashboard/ + nextcloud: + image: docker.io/library/nextcloud:23-fpm-alpine + restart: always + expose: + - "9000" + links: + - db + volumes: + - nextcloud:/var/www/html + environment: + - MYSQL_PASSWORD=nextcloud + - MYSQL_DATABASE=nextcloud + - MYSQL_USER=nextcloud + - MYSQL_HOST=db + - NEXTCLOUD_ADMIN_USER=admin + - NEXTCLOUD_ADMIN_PASSWORD=secret + - NEXTCLOUD_DATA_DIR=/var/www/html/data + - NEXTCLOUD_TRUSTED_DOMAINS=localhost + + nginx: + image: docker.io/library/nginx:1.23-alpine + restart: always + ports: + - "8080:8080" + links: + - nextcloud + volumes: + - nginx/nginx.conf:/etc/nginx/nginx.conf:z + - nextcloud:/var/www/html + diff --git a/paperless-ngx/.gitignore b/paperless-ngx/.gitignore new file mode 100644 index 0000000..c3cbb98 --- /dev/null +++ b/paperless-ngx/.gitignore @@ -0,0 +1,2 @@ +consume +export \ No newline at end of file diff --git a/paperless-ngx/podman-compose.env b/paperless-ngx/podman-compose.env new file mode 100644 index 0000000..c510cd6 --- /dev/null +++ b/paperless-ngx/podman-compose.env @@ -0,0 +1,47 @@ +# The UID and GID of the user used to run paperless in the container. Set this +# to your UID and GID on the host so that you have write access to the +# consumption directory. +#USERMAP_UID=1000 +#USERMAP_GID=1000 + +# Additional languages to install for text recognition, separated by a +# whitespace. Note that this is +# different from PAPERLESS_OCR_LANGUAGE (default=eng), which defines the +# language used for OCR. +# The container installs English, German, Italian, Spanish and French by +# default. +# See https://packages.debian.org/search?keywords=tesseract-ocr-&searchon=names&suite=buster +# for available languages. +#PAPERLESS_OCR_LANGUAGES=tur ces + +############################################################################### +# Paperless-specific settings # +############################################################################### + +# All settings defined in the paperless.conf.example can be used here. The +# Docker setup does not use the configuration file. +# A few commonly adjusted settings are provided below. + +# This is required if you will be exposing Paperless-ngx on a public domain +# (if doing so please consider security measures such as reverse proxy) +#PAPERLESS_URL=https://paperless.example.com + +# Adjust this key if you plan to make paperless available publicly. It should +# be a very long sequence of random characters. You don't need to remember it. +#PAPERLESS_SECRET_KEY=change-me + +# Use this variable to set a timezone for the Paperless Docker containers. If not specified, defaults to UTC. +#PAPERLESS_TIME_ZONE=America/Los_Angeles + +# The default language to use for OCR. Set this to the language most of your +# documents are written in. +#PAPERLESS_OCR_LANGUAGE=eng + +# Set if accessing paperless via a domain subpath e.g. https://domain.com/PATHPREFIX and using a reverse-proxy like traefik or nginx +#PAPERLESS_FORCE_SCRIPT_NAME=/PATHPREFIX +#PAPERLESS_STATIC_URL=/PATHPREFIX/static/ # trailing slash required + +PAPERLESS_ADMIN_USER=admin +PAPERLESS_ADMIN_MAIL=nicolas.masse@itix.fr +PAPERLESS_ADMIN_PASSWORD=secret +PAPERLESS_SECRET_KEY=s3cr3t diff --git a/paperless-ngx/podman-compose.yaml b/paperless-ngx/podman-compose.yaml new file mode 100644 index 0000000..f5b45ab --- /dev/null +++ b/paperless-ngx/podman-compose.yaml @@ -0,0 +1,75 @@ +# docker-compose file for running paperless from the Docker Hub. +# This file contains everything paperless needs to run. +# Paperless supports amd64, arm and arm64 hardware. +# +# All compose files of paperless configure paperless in the following way: +# +# - Paperless is (re)started on system boot, if it was running before shutdown. +# - Docker volumes for storing data are managed by Docker. +# - Folders for importing and exporting files are created in the same directory +# as this file and mounted to the correct folders inside the container. +# - Paperless listens on port 8000. +# +# In addition to that, this docker-compose file adds the following optional +# configurations: +# +# - Instead of SQLite (default), PostgreSQL is used as the database server. +# +# To install and update paperless with this file, do the following: +# +# - Copy this file as 'docker-compose.yml' and the files 'docker-compose.env' +# and '.env' into a folder. +# - Run 'docker-compose pull'. +# - Run 'docker-compose run --rm webserver createsuperuser' to create a user. +# - Run 'docker-compose up -d'. +# +# For more extensive installation and update instructions, refer to the +# documentation. + +version: "3.4" +services: + broker: + image: docker.io/library/redis:7 + restart: unless-stopped + volumes: + - redisdata:/data + + db: + image: docker.io/library/postgres:13 + restart: unless-stopped + volumes: + - pgdata:/var/lib/postgresql/data + environment: + POSTGRES_DB: paperless + POSTGRES_USER: paperless + POSTGRES_PASSWORD: paperless + + webserver: + image: ghcr.io/paperless-ngx/paperless-ngx:latest + restart: unless-stopped + depends_on: + - db + - broker + ports: + - 8000:8000 + healthcheck: + test: ["CMD", "curl", "-fs", "-S", "--max-time", "2", "http://localhost:8000"] + interval: 30s + timeout: 10s + retries: 5 + volumes: + - data:/usr/src/paperless/data + - media:/usr/src/paperless/media + - ./export:/usr/src/paperless/export:z + - ./consume:/usr/src/paperless/consume:z + env_file: podman-compose.env + environment: + PAPERLESS_REDIS: redis://broker:6379 + PAPERLESS_DBHOST: db + + +volumes: + data: + media: + pgdata: + redisdata: diff --git a/qbittorrent/.gitignore b/qbittorrent/.gitignore new file mode 100644 index 0000000..04204c7 --- /dev/null +++ b/qbittorrent/.gitignore @@ -0,0 +1 @@ +config diff --git a/qbittorrent/podman-compose.yaml b/qbittorrent/podman-compose.yaml new file mode 100644 index 0000000..e02822f --- /dev/null +++ b/qbittorrent/podman-compose.yaml @@ -0,0 +1,19 @@ +volumes: + downloads: +services: + qbittorrent: + image: lscr.io/linuxserver/qbittorrent:latest + container_name: qbittorrent + user: "10017:10000" + volumes: + - config:/config:z + - downloads:/downloads + ports: + - 8080:8080 + - 6881:6881 + - 6881:6881/udp + restart: unless-stopped + entrypoint: + - /usr/bin/qbittorrent-nox + command: + - --webui-port=8080 \ No newline at end of file diff --git a/transmission/podman-compose.yaml b/transmission/podman-compose.yaml new file mode 100644 index 0000000..1071753 --- /dev/null +++ b/transmission/podman-compose.yaml @@ -0,0 +1,59 @@ +volumes: + transmission-config: + downloads: + flood-config: + flood-runtime: + +services: + transmission: + image: lscr.io/linuxserver/transmission:latest + container_name: transmission + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Paris + - TRANSMISSION_WEB_HOME=/combustion-release/ + - USER=admin + - PASS=secret + - PEERPORT=6881 + volumes: + - transmission-config:/config:z + - downloads:/downloads:z + ports: + - 9091:9091 + - 6881:6881 + - 6881:6881/udp + expose: + - "9091" + restart: unless-stopped + flood: + image: docker.io/jesec/flood:latest + container_name: flood + environment: + - HOME=/home/flood + volumes: + - flood-config:/home/flood + - flood-runtime:/var/lib/flood + - downloads:/data + user: "1000:1000" + ports: + - 3000:3000 + link: + - transmission + command: + - --port + - "3000" + - --allowedpath + - "/data" + - --auth + - none + - --trurl + - http://transmission:9091/transmission/rpc + - --truser + - admin + - --trpass + - secret + - --rundir + - /var/lib/flood + - --host 0.0.0.0 + restart: unless-stopped