eddie/homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2
No description
8 commits 1 branch 0 tags 397 KiB
HTML 58.5%
Shell 41.5%
Find a file
Claude 1c3b7e53a1
feat: Add comprehensive GitHub Actions CI/CD pipeline 
GitHub Actions Workflows:
- docker-compose-validation.yml: Validates all compose files
  - Syntax validation
  - Network configuration checks
  - Traefik label validation
  - Port exposure warnings
  - Domain consistency checks
  - File naming convention enforcement

- security-checks.yml: Security scanning and validation
  - Gitleaks secret detection
  - Environment file validation
  - Placeholder password checks
  - Container image vulnerability scanning with Trivy
  - Dependency review for pull requests
  - Security report generation

- yaml-lint.yml: YAML formatting and validation
  - yamllint with custom configuration
  - File extension consistency checks
  - YAML structure validation
  - Service naming convention checks
  - Docker Compose version validation

- documentation.yml: Documentation quality checks
  - Markdown linting
  - Link validation
  - README completeness verification
  - Service documentation checks
  - Domain URL validation

- auto-label.yml: Automated PR labeling
  - Category-based labeling (core/media/services)
  - File type detection
  - Size-based labeling
  - Security-related changes detection

Configuration Files:
- .yamllint.yml: YAML linting rules for Docker Compose
- .markdownlint.json: Markdown formatting rules
- .markdown-link-check.json: Link checking configuration
- .pre-commit-config.yaml: Pre-commit hooks setup
- .github/labeler.yml: Auto-labeler configuration
- .github/CODEOWNERS: Code ownership definitions

Templates:
- pull_request_template.md: Comprehensive PR checklist
- ISSUE_TEMPLATE/bug-report.md: Bug report template
- ISSUE_TEMPLATE/service-request.md: New service request template

Documentation:
- SECURITY.md: Security policy and best practices
- CONTRIBUTING.md: Contribution guidelines

Benefits:
- Automated validation of all compose files
- Security scanning on every PR
- Consistent code formatting
- Documentation quality assurance
- Automated issue/PR management
- Pre-commit hooks for local validation
- Comprehensive security policy
- Clear contribution guidelines
2025-11-05 20:09:33 +00:00
.github feat: Add comprehensive GitHub Actions CI/CD pipeline 2025-11-05 20:09:33 +00:00
compose feat: Complete homelab GitOps setup with SSO and SSL 2025-11-05 19:12:04 +00:00
.markdown-link-check.json feat: Add comprehensive GitHub Actions CI/CD pipeline 2025-11-05 20:09:33 +00:00
.markdownlint.json feat: Add comprehensive GitHub Actions CI/CD pipeline 2025-11-05 20:09:33 +00:00
.pre-commit-config.yaml feat: Add comprehensive GitHub Actions CI/CD pipeline 2025-11-05 20:09:33 +00:00
.yamllint.yml feat: Add comprehensive GitHub Actions CI/CD pipeline 2025-11-05 20:09:33 +00:00
CONTRIBUTING.md feat: Add comprehensive GitHub Actions CI/CD pipeline 2025-11-05 20:09:33 +00:00
README.md feat: Complete homelab GitOps setup with SSO and SSL 2025-11-05 19:12:04 +00:00
SECURITY.md feat: Add comprehensive GitHub Actions CI/CD pipeline 2025-11-05 20:09:33 +00:00

README.md

Homelab GitOps Configuration

This repository contains Docker Compose configurations for self-hosted home services.

🏗️ Infrastructure

Core Services (Port 80/443)

📁 Directory Structure

compose/
├── core/           # Infrastructure services
│   ├── traefik/    # Reverse proxy & SSL
│   ├── lldap/      # LDAP user directory
│   └── tinyauth/   # SSO authentication
├── media/          # Media services
│   ├── frontend/   # Media frontends
│   │   ├── jellyfin/   # Media server (flix.fig.systems)
│   │   ├── jellyseer/  # Request management (requests.fig.systems)
│   │   └── immich/     # Photo management (photos.fig.systems)
│   └── automation/ # Media automation
│       ├── sonarr/     # TV show management
│       ├── radarr/     # Movie management
│       ├── sabnzbd/    # Usenet downloader
│       └── qbittorrent/# Torrent client
└── services/       # Utility services
    ├── linkwarden/     # Bookmark manager (links.fig.systems)
    ├── vikunja/        # Task management (tasks.fig.systems)
    ├── lubelogger/     # Vehicle tracker (garage.fig.systems)
    ├── calibre-web/    # Ebook library (books.fig.systems)
    ├── booklore/       # Book tracking (booklore.fig.systems)
    ├── FreshRSS/       # RSS reader (rss.fig.systems)
    ├── rsshub/         # RSS feed generator (rsshub.fig.systems)
    ├── microbin/       # Pastebin (paste.fig.systems)
    └── filebrowser/    # File manager (files.fig.systems)

🌐 Domains

All services are accessible via:

  • Primary: *.fig.systems
  • Secondary: *.edfig.dev

Service URLs

Service URL SSO Protected
Traefik Dashboard traefik.fig.systems
LLDAP lldap.fig.systems
Tinyauth auth.fig.systems
Jellyfin flix.fig.systems *
Jellyseerr requests.fig.systems
Immich photos.fig.systems *
Sonarr sonarr.fig.systems
Radarr radarr.fig.systems
SABnzbd sabnzbd.fig.systems
qBittorrent qbt.fig.systems
Linkwarden links.fig.systems
Vikunja tasks.fig.systems
LubeLogger garage.fig.systems
Calibre-web books.fig.systems
Booklore booklore.fig.systems
FreshRSS rss.fig.systems
RSSHub rsshub.fig.systems *
MicroBin paste.fig.systems *
File Browser files.fig.systems

Services marked with have their own authentication systems

📦 Media Folder Structure

The VM should have /media mounted at the root with this structure:

/media/
├── audiobooks/
├── books/
├── comics/
├── complete/      # Completed downloads
├── downloads/     # Active downloads
├── homemovies/
├── incomplete/    # Incomplete downloads
├── movies/
├── music/
├── photos/
└── tv/

🚀 Deployment

Prerequisites

  1. DNS Configuration: Point *.fig.systems and *.edfig.dev to your server IP
  2. Media Folders: Ensure /media is mounted with the folder structure above
  3. Docker Network: Create the homelab network
docker network create homelab

Deployment Order

  1. Core Infrastructure (must be first):
cd compose/core/traefik && docker compose up -d
cd compose/core/lldap && docker compose up -d
cd compose/core/tinyauth && docker compose up -d

  1. Configure LLDAP:

    • Visit https://lldap.fig.systems
    • Login with admin credentials from .env
    • Create an observer user for tinyauth
    • Add regular users for authentication

  2. Update Passwords:

    • Update LLDAP_LDAP_USER_PASS in core/lldap/.env
    • Update LDAP_BIND_PASSWORD in core/tinyauth/.env to match
    • Update SESSION_SECRET in core/tinyauth/.env
    • Update database passwords in service .env files

  3. Deploy Services:

# Media frontend
cd compose/media/frontend/jellyfin && docker compose up -d
cd compose/media/frontend/jellyseer && docker compose up -d
cd compose/media/frontend/immich && docker compose up -d

# Media automation
cd compose/media/automation/sonarr && docker compose up -d
cd compose/media/automation/radarr && docker compose up -d
cd compose/media/automation/sabnzbd && docker compose up -d
cd compose/media/automation/qbittorrent && docker compose up -d

# Utility services
cd compose/services/linkwarden && docker compose up -d
cd compose/services/vikunja && docker compose up -d
cd compose/services/lubelogger && docker compose up -d
cd compose/services/calibre-web && docker compose up -d
cd compose/services/booklore && docker compose up -d
cd compose/services/FreshRSS && docker compose up -d
cd compose/services/rsshub && docker compose up -d
cd compose/services/microbin && docker compose up -d
cd compose/services/filebrowser && docker compose up -d

🔐 Security Considerations

  1. Change Default Passwords: All .env files contain placeholder passwords marked with changeme_*
  2. LLDAP Observer User: Create a readonly user in LLDAP for tinyauth to bind
  3. SSL Certificates: Traefik automatically obtains Let's Encrypt certificates
  4. Network Isolation: Services use internal networks for database/cache communication
  5. SSO: Most services are protected by tinyauth forward authentication

📝 Configuration Files

Each service has its own .env file where applicable. Key files to review:

  • core/lldap/.env - LDAP configuration and admin credentials
  • core/tinyauth/.env - LDAP connection and session settings
  • media/frontend/immich/.env - Photo management configuration
  • services/linkwarden/.env - Bookmark manager settings
  • services/microbin/.env - Pastebin configuration

🔧 Maintenance

Viewing Logs

cd compose/[category]/[service]
docker compose logs -f

Updating Services

cd compose/[category]/[service]
docker compose pull
docker compose up -d

Backing Up Data

Important data locations:

  • LLDAP: compose/core/lldap/data/
  • Service configs: compose/*/*/config/
  • Databases: compose/*/*/db/ or compose/*/*/pgdata/
  • Media: /media/ (handle separately)

🐛 Troubleshooting

Service won't start

  1. Check logs: docker compose logs
  2. Verify network exists: docker network ls | grep homelab
  3. Check port conflicts: docker ps -a

SSL certificate issues

  1. Verify DNS points to your server
  2. Check Traefik logs: cd compose/core/traefik && docker compose logs
  3. Ensure ports 80 and 443 are open

SSO not working

  1. Verify tinyauth is running: docker ps | grep tinyauth
  2. Check LLDAP connection in tinyauth logs
  3. Verify LDAP bind credentials match in both services

📄 License

This is a personal homelab configuration. Use at your own risk.

🤝 Contributing

This is a personal repository, but feel free to use it as a reference for your own homelab!