eddie/homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2
homelab/README.md
Claude fd48fed9d8
feat: Complete homelab GitOps setup with SSO and SSL 
Core Infrastructure:
- Add LLDAP for centralized user authentication (lldap.fig.systems)
- Configure Tinyauth with LLDAP backend for SSO (auth.fig.systems)
- Set up Traefik v3.3 with Let's Encrypt SSL automation
- Create homelab Docker network for service isolation

Media Services:
- Configure Jellyfin with /media folder mappings (flix.fig.systems)
- Add Jellyseerr for media requests (requests.fig.systems)
- Update Immich with photo library access (photos.fig.systems)
- Set up Sonarr for TV automation (sonarr.fig.systems)
- Set up Radarr for movie automation (radarr.fig.systems)
- Configure SABnzbd for Usenet downloads (sabnzbd.fig.systems)
- Add qBittorrent for torrent downloads (qbt.fig.systems)

Utility Services:
- Update Linkwarden with proper networking (links.fig.systems)
- Configure Vikunja task management (tasks.fig.systems)
- Set up LubeLogger vehicle tracking (garage.fig.systems)
- Configure Calibre-web for ebooks (books.fig.systems)
- Add Booklore for book tracking (booklore.fig.systems)
- Update FreshRSS reader (rss.fig.systems)
- Update RSSHub with internal networking (rsshub.fig.systems)
- Update MicroBin pastebin (paste.fig.systems)
- Add File Browser for media access (files.fig.systems)

Technical Improvements:
- Standardize all compose files to compose.yaml (Docker best practice)
- Add Traefik labels to all services for SSL termination
- Implement proper network isolation (homelab + service-specific networks)
- Add health checks to database services
- Configure dual domain support (fig.systems + edfig.dev)
- Set proper /media folder mappings for all media services
- Add comprehensive README with deployment instructions

Security:
- Enable SSO via Tinyauth for most services
- Configure LLDAP with admin user (edfig/admin@edfig.dev)
- Services with built-in auth have SSO disabled by default
- All traffic secured with automatic Let's Encrypt certificates
2025-11-05 19:12:04 +00:00

218 lines
7.2 KiB
Markdown
Raw Blame History

# Homelab GitOps Configuration
This repository contains Docker Compose configurations for self-hosted home services.
## 🏗️ Infrastructure
### Core Services (Port 80/443)
- **Traefik** - Reverse proxy with automatic Let's Encrypt SSL
- **LLDAP** - Lightweight LDAP server for user management
- Admin: `edfig` (admin@edfig.dev)
- Web UI: https://lldap.fig.systems
- **Tinyauth** - SSO authentication via Traefik forward auth
- Connected to LLDAP for user authentication
- Web UI: https://auth.fig.systems
## 📁 Directory Structure
```
compose/
├── core/ # Infrastructure services
│ ├── traefik/ # Reverse proxy & SSL
│ ├── lldap/ # LDAP user directory
│ └── tinyauth/ # SSO authentication
├── media/ # Media services
│ ├── frontend/ # Media frontends
│ │ ├── jellyfin/ # Media server (flix.fig.systems)
│ │ ├── jellyseer/ # Request management (requests.fig.systems)
│ │ └── immich/ # Photo management (photos.fig.systems)
│ └── automation/ # Media automation
│ ├── sonarr/ # TV show management
│ ├── radarr/ # Movie management
│ ├── sabnzbd/ # Usenet downloader
│ └── qbittorrent/# Torrent client
└── services/ # Utility services
├── linkwarden/ # Bookmark manager (links.fig.systems)
├── vikunja/ # Task management (tasks.fig.systems)
├── lubelogger/ # Vehicle tracker (garage.fig.systems)
├── calibre-web/ # Ebook library (books.fig.systems)
├── booklore/ # Book tracking (booklore.fig.systems)
├── FreshRSS/ # RSS reader (rss.fig.systems)
├── rsshub/ # RSS feed generator (rsshub.fig.systems)
├── microbin/ # Pastebin (paste.fig.systems)
└── filebrowser/ # File manager (files.fig.systems)
```
## 🌐 Domains
All services are accessible via:
- Primary: `*.fig.systems`
- Secondary: `*.edfig.dev`
### Service URLs
| Service | URL | SSO Protected |
|---------|-----|---------------|
| Traefik Dashboard | traefik.fig.systems | ✅ |
| LLDAP | lldap.fig.systems | ✅ |
| Tinyauth | auth.fig.systems | ❌ |
| Jellyfin | flix.fig.systems | ❌* |
| Jellyseerr | requests.fig.systems | ✅ |
| Immich | photos.fig.systems | ❌* |
| Sonarr | sonarr.fig.systems | ✅ |
| Radarr | radarr.fig.systems | ✅ |
| SABnzbd | sabnzbd.fig.systems | ✅ |
| qBittorrent | qbt.fig.systems | ✅ |
| Linkwarden | links.fig.systems | ✅ |
| Vikunja | tasks.fig.systems | ✅ |
| LubeLogger | garage.fig.systems | ✅ |
| Calibre-web | books.fig.systems | ✅ |
| Booklore | booklore.fig.systems | ✅ |
| FreshRSS | rss.fig.systems | ✅ |
| RSSHub | rsshub.fig.systems | ❌* |
| MicroBin | paste.fig.systems | ❌* |
| File Browser | files.fig.systems | ✅ |
*Services marked with ❌* have their own authentication systems
## 📦 Media Folder Structure
The VM should have `/media` mounted at the root with this structure:
```
/media/
├── audiobooks/
├── books/
├── comics/
├── complete/ # Completed downloads
├── downloads/ # Active downloads
├── homemovies/
├── incomplete/ # Incomplete downloads
├── movies/
├── music/
├── photos/
└── tv/
```
## 🚀 Deployment
### Prerequisites
1. **DNS Configuration**: Point `*.fig.systems` and `*.edfig.dev` to your server IP
2. **Media Folders**: Ensure `/media` is mounted with the folder structure above
3. **Docker Network**: Create the homelab network
```bash
docker network create homelab
```
### Deployment Order
1. **Core Infrastructure** (must be first):
```bash
cd compose/core/traefik && docker compose up -d
cd compose/core/lldap && docker compose up -d
cd compose/core/tinyauth && docker compose up -d
```
2. **Configure LLDAP**:
- Visit https://lldap.fig.systems
- Login with admin credentials from `.env`
- Create an observer user for tinyauth
- Add regular users for authentication
3. **Update Passwords**:
- Update `LLDAP_LDAP_USER_PASS` in `core/lldap/.env`
- Update `LDAP_BIND_PASSWORD` in `core/tinyauth/.env` to match
- Update `SESSION_SECRET` in `core/tinyauth/.env`
- Update database passwords in service `.env` files
4. **Deploy Services**:
```bash
# Media frontend
cd compose/media/frontend/jellyfin && docker compose up -d
cd compose/media/frontend/jellyseer && docker compose up -d
cd compose/media/frontend/immich && docker compose up -d
# Media automation
cd compose/media/automation/sonarr && docker compose up -d
cd compose/media/automation/radarr && docker compose up -d
cd compose/media/automation/sabnzbd && docker compose up -d
cd compose/media/automation/qbittorrent && docker compose up -d
# Utility services
cd compose/services/linkwarden && docker compose up -d
cd compose/services/vikunja && docker compose up -d
cd compose/services/lubelogger && docker compose up -d
cd compose/services/calibre-web && docker compose up -d
cd compose/services/booklore && docker compose up -d
cd compose/services/FreshRSS && docker compose up -d
cd compose/services/rsshub && docker compose up -d
cd compose/services/microbin && docker compose up -d
cd compose/services/filebrowser && docker compose up -d
```
## 🔐 Security Considerations
1. **Change Default Passwords**: All `.env` files contain placeholder passwords marked with `changeme_*`
2. **LLDAP Observer User**: Create a readonly user in LLDAP for tinyauth to bind
3. **SSL Certificates**: Traefik automatically obtains Let's Encrypt certificates
4. **Network Isolation**: Services use internal networks for database/cache communication
5. **SSO**: Most services are protected by tinyauth forward authentication
## 📝 Configuration Files
Each service has its own `.env` file where applicable. Key files to review:
- `core/lldap/.env` - LDAP configuration and admin credentials
- `core/tinyauth/.env` - LDAP connection and session settings
- `media/frontend/immich/.env` - Photo management configuration
- `services/linkwarden/.env` - Bookmark manager settings
- `services/microbin/.env` - Pastebin configuration
## 🔧 Maintenance
### Viewing Logs
```bash
cd compose/[category]/[service]
docker compose logs -f
```
### Updating Services
```bash
cd compose/[category]/[service]
docker compose pull
docker compose up -d
```
### Backing Up Data
Important data locations:
- LLDAP: `compose/core/lldap/data/`
- Service configs: `compose/*/*/config/`
- Databases: `compose/*/*/db/` or `compose/*/*/pgdata/`
- Media: `/media/` (handle separately)
## 🐛 Troubleshooting
### Service won't start
1. Check logs: `docker compose logs`
2. Verify network exists: `docker network ls | grep homelab`
3. Check port conflicts: `docker ps -a`
### SSL certificate issues
1. Verify DNS points to your server
2. Check Traefik logs: `cd compose/core/traefik && docker compose logs`
3. Ensure ports 80 and 443 are open
### SSO not working
1. Verify tinyauth is running: `docker ps | grep tinyauth`
2. Check LLDAP connection in tinyauth logs
3. Verify LDAP bind credentials match in both services
## 📄 License
This is a personal homelab configuration. Use at your own risk.
## 🤝 Contributing
This is a personal repository, but feel free to use it as a reference for your own homelab!
Reference in a new issue View git blame Copy permalink