eddie/homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2
No description
13 commits 1 branch 0 tags 397 KiB
HTML 58.5%
Shell 41.5%
Find a file
Claude ffc30ff582
refactor: Move all environment variables to .env files with example secrets 
This commit improves configuration management by:

## Changes

### Environment Variable Management
- Moved ALL environment blocks from compose.yaml files to .env files
- Added comprehensive .env files for all 20 services
- Included example secret formats with generation commands
- Added detailed comments explaining what each secret should look like

### Example Secret Formats
All .env files now include examples for:
- **JWT Secrets**: 64-character hex strings
  - Example format: `a1b2c3d4e5f67890abcdef1234567890...`
  - Generate with: `openssl rand -hex 32`

- **Passwords**: Strong alphanumeric passwords
  - Example format: `MyS3cur3P@ssw0rd!2024#HomeL@b`
  - Generate with: `openssl rand -base64 32 | tr -d /=+ | cut -c1-32`

- **Session Secrets**: Random hex strings
  - Example format: `b2c3d4e5f67890abcdef1234567890a1b2...`
  - Generate with: `openssl rand -hex 32`

- **API Keys**: Service-specific formats
  - Meili: 32-character hex (`openssl rand -hex 16`)
  - NextAuth: 64-character hex (`openssl rand -hex 32`)

### GPU Support Documentation
- Added NVIDIA GPU (GTX 1070) configuration for Jellyfin
- Added NVIDIA GPU configuration for Immich (ML inference & transcoding)
- Included setup instructions for NVIDIA Container Toolkit
- Documented how to enable GPU acceleration in each service

### Services Updated

**Core Infrastructure:**
- lldap: Added JWT secret and password examples
- tinyauth: Added session secret examples
- traefik: No environment variables needed

**Media Services:**
- jellyfin: Added .env with GPU configuration docs
- jellyseer: Created .env with logging and timezone settings
- immich: Added database password examples and GPU docs
- sonarr: Created .env for PUID/PGID/TZ
- radarr: Created .env for PUID/PGID/TZ
- sabnzbd: Created .env for PUID/PGID/TZ
- qbittorrent: Created .env for PUID/PGID/TZ/WEBUI_PORT

**Utility Services:**
- homarr: Created .env for port and timezone
- backrest: Added environment variables to .env
- linkwarden: Rewrote .env with NextAuth, Postgres, Meili examples
- vikunja: Created .env with JWT secret and database password
- FreshRSS: Created .env for PUID/PGID/TZ
- booklore: Created .env for PUID/PGID/TZ
- calibre-web: Created .env for PUID/PGID/TZ
- filebrowser: Created .env for PUID/PGID/TZ
- lubelogger: Created .env with locale settings
- rsshub: Created .env with cache and logging config
- microbin: Updated existing .env, removed environment block

### Benefits

1. **Security**:
   - Clear examples show what strong secrets look like
   - Generation commands prevent weak passwords
   - All secrets in one place per service

2. **Consistency**:
   - All services follow the same pattern (env_file: .env)
   - No more environment blocks in compose files
   - Easier to template new services

3. **Usability**:
   - Users know exactly what to change (look for `changeme_*`)
   - Example formats prevent configuration errors
   - Commands provided to generate secure values

4. **Maintainability**:
   - Compose files are cleaner and more readable
   - Environment changes don't require compose file edits
   - Version control friendly (.env files can be .gitignored)

### Files Changed
- Modified: 24 compose.yaml files
- Created: 14 new .env files
- Updated: 6 existing .env files
- Total .env files: 20 across all services

All compose.yaml files now use `env_file: .env` exclusively.
No environment blocks remain in any compose files.
2025-11-06 19:18:07 +00:00
.github fix: Resolve Traefik network and labeler configuration errors 2025-11-05 21:25:45 +00:00
compose refactor: Move all environment variables to .env files with example secrets 2025-11-06 19:18:07 +00:00
templates/service-template feat: Add service template, backup solution, dashboard, and IaC tooling 2025-11-05 21:54:30 +00:00
terraform feat: Add service template, backup solution, dashboard, and IaC tooling 2025-11-05 21:54:30 +00:00
.markdown-link-check.json feat: Add comprehensive GitHub Actions CI/CD pipeline 2025-11-05 20:09:33 +00:00
.markdownlint.json feat: Add comprehensive GitHub Actions CI/CD pipeline 2025-11-05 20:09:33 +00:00
.pre-commit-config.yaml feat: Add comprehensive GitHub Actions CI/CD pipeline 2025-11-05 20:09:33 +00:00
.yamllint.yml feat: Add comprehensive GitHub Actions CI/CD pipeline 2025-11-05 20:09:33 +00:00
CONTRIBUTING.md feat: Add comprehensive GitHub Actions CI/CD pipeline 2025-11-05 20:09:33 +00:00
PR_REVIEW.md docs: Add comprehensive PR review documentation 2025-11-05 21:08:33 +00:00
README.md feat: Add service template, backup solution, dashboard, and IaC tooling 2025-11-05 21:54:30 +00:00
SECURITY.md feat: Add comprehensive GitHub Actions CI/CD pipeline 2025-11-05 20:09:33 +00:00

README.md

Homelab GitOps Configuration

This repository contains Docker Compose configurations for self-hosted home services.

🏗️ Infrastructure

Core Services (Port 80/443)

📁 Directory Structure

compose/
├── core/           # Infrastructure services
│   ├── traefik/    # Reverse proxy & SSL
│   ├── lldap/      # LDAP user directory
│   └── tinyauth/   # SSO authentication
├── media/          # Media services
│   ├── frontend/   # Media frontends
│   │   ├── jellyfin/   # Media server (flix.fig.systems)
│   │   ├── jellyseer/  # Request management (requests.fig.systems)
│   │   └── immich/     # Photo management (photos.fig.systems)
│   └── automation/ # Media automation
│       ├── sonarr/     # TV show management
│       ├── radarr/     # Movie management
│       ├── sabnzbd/    # Usenet downloader
│       └── qbittorrent/# Torrent client
└── services/       # Utility services
    ├── homarr/         # Dashboard (home.fig.systems)
    ├── backrest/       # Backup manager (backup.fig.systems)
    ├── linkwarden/     # Bookmark manager (links.fig.systems)
    ├── vikunja/        # Task management (tasks.fig.systems)
    ├── lubelogger/     # Vehicle tracker (garage.fig.systems)
    ├── calibre-web/    # Ebook library (books.fig.systems)
    ├── booklore/       # Book tracking (booklore.fig.systems)
    ├── FreshRSS/       # RSS reader (rss.fig.systems)
    ├── rsshub/         # RSS feed generator (rsshub.fig.systems)
    ├── microbin/       # Pastebin (paste.fig.systems)
    └── filebrowser/    # File manager (files.fig.systems)

🌐 Domains

All services are accessible via:

  • Primary: *.fig.systems
  • Secondary: *.edfig.dev

Service URLs

Service URL SSO Protected
Traefik Dashboard traefik.fig.systems
LLDAP lldap.fig.systems
Tinyauth auth.fig.systems
Homarr home.fig.systems
Backrest backup.fig.systems
Jellyfin flix.fig.systems *
Jellyseerr requests.fig.systems
Immich photos.fig.systems *
Sonarr sonarr.fig.systems
Radarr radarr.fig.systems
SABnzbd sabnzbd.fig.systems
qBittorrent qbt.fig.systems
Linkwarden links.fig.systems
Vikunja tasks.fig.systems
LubeLogger garage.fig.systems
Calibre-web books.fig.systems
Booklore booklore.fig.systems
FreshRSS rss.fig.systems
RSSHub rsshub.fig.systems *
MicroBin paste.fig.systems *
File Browser files.fig.systems

Services marked with have their own authentication systems

📦 Media Folder Structure

The VM should have /media mounted at the root with this structure:

/media/
├── audiobooks/
├── books/
├── comics/
├── complete/      # Completed downloads
├── downloads/     # Active downloads
├── homemovies/
├── incomplete/    # Incomplete downloads
├── movies/
├── music/
├── photos/
└── tv/

🚀 Deployment

Prerequisites

  1. DNS Configuration: Point *.fig.systems and *.edfig.dev to your server IP
  2. Media Folders: Ensure /media is mounted with the folder structure above
  3. Docker Network: Create the homelab network
docker network create homelab

Deployment Order

  1. Core Infrastructure (must be first):
cd compose/core/traefik && docker compose up -d
cd compose/core/lldap && docker compose up -d
cd compose/core/tinyauth && docker compose up -d

  1. Configure LLDAP:

    • Visit https://lldap.fig.systems
    • Login with admin credentials from .env
    • Create an observer user for tinyauth
    • Add regular users for authentication

  2. Update Passwords:

    • Update LLDAP_LDAP_USER_PASS in core/lldap/.env
    • Update LDAP_BIND_PASSWORD in core/tinyauth/.env to match
    • Update SESSION_SECRET in core/tinyauth/.env
    • Update database passwords in service .env files

  3. Deploy Services:

# Media frontend
cd compose/media/frontend/jellyfin && docker compose up -d
cd compose/media/frontend/jellyseer && docker compose up -d
cd compose/media/frontend/immich && docker compose up -d

# Media automation
cd compose/media/automation/sonarr && docker compose up -d
cd compose/media/automation/radarr && docker compose up -d
cd compose/media/automation/sabnzbd && docker compose up -d
cd compose/media/automation/qbittorrent && docker compose up -d

# Utility services
cd compose/services/linkwarden && docker compose up -d
cd compose/services/vikunja && docker compose up -d
cd compose/services/homarr && docker compose up -d
cd compose/services/backrest && docker compose up -d
cd compose/services/lubelogger && docker compose up -d
cd compose/services/calibre-web && docker compose up -d
cd compose/services/booklore && docker compose up -d
cd compose/services/FreshRSS && docker compose up -d
cd compose/services/rsshub && docker compose up -d
cd compose/services/microbin && docker compose up -d
cd compose/services/filebrowser && docker compose up -d

🔐 Security Considerations

  1. Change Default Passwords: All .env files contain placeholder passwords marked with changeme_*
  2. LLDAP Observer User: Create a readonly user in LLDAP for tinyauth to bind
  3. SSL Certificates: Traefik automatically obtains Let's Encrypt certificates
  4. Network Isolation: Services use internal networks for database/cache communication
  5. SSO: Most services are protected by tinyauth forward authentication

📝 Configuration Files

Each service has its own .env file where applicable. Key files to review:

  • core/lldap/.env - LDAP configuration and admin credentials
  • core/tinyauth/.env - LDAP connection and session settings
  • media/frontend/immich/.env - Photo management configuration
  • services/linkwarden/.env - Bookmark manager settings
  • services/microbin/.env - Pastebin configuration

🔧 Maintenance

Viewing Logs

cd compose/[category]/[service]
docker compose logs -f

Updating Services

cd compose/[category]/[service]
docker compose pull
docker compose up -d

Backing Up Data

Important data locations:

  • LLDAP: compose/core/lldap/data/
  • Service configs: compose/*/*/config/
  • Databases: compose/*/*/db/ or compose/*/*/pgdata/
  • Media: /media/ (handle separately)

🐛 Troubleshooting

Service won't start

  1. Check logs: docker compose logs
  2. Verify network exists: docker network ls | grep homelab
  3. Check port conflicts: docker ps -a

SSL certificate issues

  1. Verify DNS points to your server
  2. Check Traefik logs: cd compose/core/traefik && docker compose logs
  3. Ensure ports 80 and 443 are open

SSO not working

  1. Verify tinyauth is running: docker ps | grep tinyauth
  2. Check LLDAP connection in tinyauth logs
  3. Verify LDAP bind credentials match in both services

📄 License

This is a personal homelab configuration. Use at your own risk.

🤝 Contributing

This is a personal repository, but feel free to use it as a reference for your own homelab!