Add stack-type labels and public service stacks

Add com.ghost.tel/stack-type labels to all stacks: - prod (17): Production services from core - dev-only (11): Experimental/device-specific services - public (8): Public-facing services (uplink.tel, sequela.tel) New public stacks from docker-public: - nitter-public: Nitter instance for uplink.tel - freshrss-public: FreshRSS for uplink.tel - rsshub-public: RSSHub for uplink.tel - searx-public: SearXNG for uplink.tel - wikijs-public: Wiki.js for sequela.tel - matomo-public: Matomo analytics for sequela.tel Also fixes: - Remove obsolete 'version' key from compose files - Fix snowflake to remove duplicate watchtower service - Standardize compose file formatting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 10:02:37 -05:00
parent 7704551668
commit 32e7536fd8
38 changed files with 264 additions and 19 deletions
--- a/stacks/authentik/docker-compose.yml
+++ b/stacks/authentik/docker-compose.yml
@@ -25,6 +25,7 @@ services:
      - web
      - default
    labels:
      - "com.ghost.tel/stack-type=prod"
      - "traefik.enable=true"
      - "traefik.http.routers.authentik.entrypoints=https"
      - "traefik.http.routers.authentik.rule=Host(`authentik.${DOMAIN}`)"
--- a/stacks/bookclub/docker-compose.yml
+++ b/stacks/bookclub/docker-compose.yml
@@ -6,6 +6,7 @@ services:
    env_file:
      - .env
    labels:
      - "com.ghost.tel/stack-type=dev-only"
      - "traefik.enable=true"
      - "traefik.http.routers.form-mailer.rule=Host(`bookclub.${DOMAIN}`)"
      - "traefik.http.routers.form-mailer.entrypoints=https"
--- a/stacks/brain/docker-compose.yml
+++ b/stacks/brain/docker-compose.yml
@@ -11,6 +11,7 @@ services:
    networks:
      - web
    labels:
      - "com.ghost.tel/stack-type=prod"
      - "traefik.enable=true"
      - "traefik.http.routers.brain.entrypoints=https"
      - "traefik.http.routers.brain.rule=Host(`brain.${DOMAIN}`)"
--- a/stacks/changedetection/docker-compose.yml
+++ b/stacks/changedetection/docker-compose.yml
@@ -13,6 +13,7 @@ services:
    networks:
      - web
    labels:
      - "com.ghost.tel/stack-type=prod"
      - "traefik.enable=true"
      - "traefik.http.routers.changedetection.entrypoints=https"
      - "traefik.http.routers.changedetection.rule=Host(`change.${DOMAIN}`)"
--- a/stacks/dockge/docker-compose.yml
+++ b/stacks/dockge/docker-compose.yml
@@ -14,6 +14,7 @@ services:
    networks:
      - web
    labels:
      - "com.ghost.tel/stack-type=dev-only"
      - "traefik.enable=true"
      - "traefik.http.routers.dockge.rule=Host(`dockge.${DOMAIN}`)"
      - "traefik.http.routers.dockge.entrypoints=https"
--- a/stacks/filebrowser/docker-compose.yml
+++ b/stacks/filebrowser/docker-compose.yml
@@ -11,6 +11,7 @@ services:
    networks:
      - web
    labels:
      - "com.ghost.tel/stack-type=dev-only"
      - "traefik.enable=true"
      - "traefik.http.routers.filebrowser.entrypoints=https"
      - "traefik.http.routers.filebrowser.rule=Host(`files.${DOMAIN}`)"
--- a/stacks/freshrss-public/docker-compose.yml
+++ b/stacks/freshrss-public/docker-compose.yml
@@ -0,0 +1,23 @@
 services:
  freshrss:
    image: lscr.io/linuxserver/freshrss:latest
    container_name: freshrss
    restart: unless-stopped
    labels:
      - "com.ghost.tel/stack-type=public"
      - "traefik.enable=true"
      - "traefik.http.routers.freshrss.entrypoints=https"
      - "traefik.http.routers.freshrss.rule=Host(`freshrss.uplink.tel`)"
      - "traefik.http.routers.freshrss.tls.certresolver=http"
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/New_York
    volumes:
      - ./config:/config
    networks:
      - web
 networks:
  web:
    external: true
--- a/stacks/ghost/docker-compose.yml
+++ b/stacks/ghost/docker-compose.yml
@@ -18,6 +18,7 @@ services:
    volumes:
      - ./content:/var/lib/ghost/content
    labels:
      - "com.ghost.tel/stack-type=prod"
      - "traefik.enable=true"
      - "traefik.http.routers.ghost.entrypoints=https"
      - "traefik.http.routers.ghost.rule=Host(`ghost.${DOMAIN}`)"
--- a/stacks/gitea/docker-compose.yml
+++ b/stacks/gitea/docker-compose.yml
@@ -22,6 +22,7 @@ services:
      - default
      - web
    labels:
      - "com.ghost.tel/stack-type=prod"
      - "traefik.enable=true"
      - "traefik.http.routers.gitea.entrypoints=https"
      - "traefik.http.routers.gitea.rule=Host(`gitea.${DOMAIN}`)"
--- a/stacks/gollum/docker-compose.yml
+++ b/stacks/gollum/docker-compose.yml
@@ -13,6 +13,7 @@ services:
    networks:
      - web
    labels:
      - "com.ghost.tel/stack-type=prod"
      - "traefik.enable=true"
      - "traefik.http.routers.gollum.entrypoints=https"
      - "traefik.http.routers.gollum.rule=Host(`gollum.${DOMAIN}`)"
--- a/stacks/invidious/docker-compose.yml
+++ b/stacks/invidious/docker-compose.yml
@@ -39,6 +39,7 @@ services:
          cpus: '1'
          memory: 2G
    labels:
      - "com.ghost.tel/stack-type=public"
      - "traefik.enable=true"
      - "traefik.http.services.invidious.loadbalancer.server.port=3000"
      - "traefik.http.routers.invidious.entrypoints=https"
--- a/stacks/matomo-public/.env.template
+++ b/stacks/matomo-public/.env.template
@@ -0,0 +1,2 @@
 MATOMO_MYSQL_ROOT_PASSWORD=changeme
 MATOMO_MYSQL_PASSWORD=changeme
--- a/stacks/matomo-public/docker-compose.yml
+++ b/stacks/matomo-public/docker-compose.yml
@@ -0,0 +1,50 @@
 services:
  db:
    image: mariadb:latest
    container_name: matomo-db
    restart: unless-stopped
    labels:
      - "com.ghost.tel/stack-type=public"
    command: --max-allowed-packet=64MB
    environment:
      MYSQL_ROOT_PASSWORD: ${MATOMO_MYSQL_ROOT_PASSWORD}
      MYSQL_DATABASE: matomo
      MYSQL_USER: matomo
      MYSQL_PASSWORD: ${MATOMO_MYSQL_PASSWORD}
    volumes:
      - ./mysql:/var/lib/mysql
  app:
    image: matomo:latest
    container_name: matomo
    restart: unless-stopped
    labels:
      - "com.ghost.tel/stack-type=public"
      - "traefik.enable=true"
      - "traefik.http.routers.matomo.entrypoints=https"
      - "traefik.http.routers.matomo.rule=Host(`matomo.sequela.tel`) || Host(`matomo.sequela.uk`)"
      - "traefik.http.routers.matomo.tls.certresolver=http"
      - "traefik.http.services.matomo.loadbalancer.server.port=80"
    environment:
      MATOMO_DATABASE_HOST: db
      MATOMO_DATABASE_ADAPTER: mysql
      MATOMO_DATABASE_TABLES_PREFIX: matomo_
      MATOMO_DATABASE_USERNAME: matomo
      MATOMO_DATABASE_PASSWORD: ${MATOMO_MYSQL_PASSWORD}
      MATOMO_DATABASE_DBNAME: matomo
    volumes:
      - matomo-data:/var/www/html
    expose:
      - "80"
    depends_on:
      - db
    networks:
      - web
      - default
 volumes:
  matomo-data:
 networks:
  web:
    external: true
--- a/stacks/memento/docker-compose.yml
+++ b/stacks/memento/docker-compose.yml
@@ -11,6 +11,7 @@ services:
      - web
      - default
    labels:
      - "com.ghost.tel/stack-type=prod"
      - "traefik.enable=true"
      - "traefik.http.routers.memento.entrypoints=https"
      - "traefik.http.routers.memento.rule=Host(`memento.${DOMAIN}`)"
--- a/stacks/meshmon/docker-compose.yml
+++ b/stacks/meshmon/docker-compose.yml
@@ -2,6 +2,8 @@ services:
  meshmonitor:
    image: ghcr.io/yeraze/meshmonitor:latest
    container_name: meshmonitor
    labels:
      - "com.ghost.tel/stack-type=dev-only"
    ports:
      - "8383:3001"
    restart: unless-stopped
--- a/stacks/meshtastic-web/docker-compose.yml
+++ b/stacks/meshtastic-web/docker-compose.yml
@@ -3,5 +3,7 @@ services:
    image: ghcr.io/meshtastic/web:latest
    container_name: meshtastic-web
    restart: unless-stopped
    labels:
      - "com.ghost.tel/stack-type=dev-only"
    ports:
      - "8585:8080"
--- a/stacks/mllogwatcher/docker-compose.yml
+++ b/stacks/mllogwatcher/docker-compose.yml
@@ -1,8 +1,8 @@
 version: "3.9"
 services:
  grafana-alert-webhook:
    build: .
    labels:
      - "com.ghost.tel/stack-type=dev-only"
    env_file:
      - .env
    ports:
--- a/stacks/network-mcp/docker-compose.yml
+++ b/stacks/network-mcp/docker-compose.yml
@@ -1,11 +1,11 @@
 version: "3.9"
 services:
  frontend:
    build:
      context: .
      dockerfile: frontend/Dockerfile
    restart: always
    labels:
      - "com.ghost.tel/stack-type=dev-only"
    env_file:
      - .env
    environment:
--- a/stacks/nitter-public/docker-compose.yml
+++ b/stacks/nitter-public/docker-compose.yml
@@ -0,0 +1,20 @@
 services:
  nitter:
    image: zedeus/nitter:latest
    container_name: nitter
    restart: unless-stopped
    labels:
      - "com.ghost.tel/stack-type=public"
      - "traefik.enable=true"
      - "traefik.http.routers.nitter.entrypoints=https"
      - "traefik.http.routers.nitter.rule=Host(`nitter.uplink.tel`)"
      - "traefik.http.routers.nitter.tls.certresolver=http"
      - "traefik.http.services.nitter.loadbalancer.server.port=8080"
    volumes:
      - ./nitter.conf:/src/nitter.conf:ro
    networks:
      - web
 networks:
  web:
    external: true
--- a/stacks/obby/docker-compose.yml
+++ b/stacks/obby/docker-compose.yml
@@ -3,6 +3,8 @@ services:
  obsidian:
    image: lscr.io/linuxserver/obsidian:latest
    container_name: obsidian
    labels:
      - "com.ghost.tel/stack-type=dev-only"
    security_opt:
      - seccomp:unconfined #optional
    environment:
--- a/stacks/obsidian-tools/docker-compose.yml
+++ b/stacks/obsidian-tools/docker-compose.yml
@@ -18,6 +18,7 @@ services:
    depends_on:
      - syncthing
    labels:
      - "com.ghost.tel/stack-type=dev-only"
      - "traefik.enable=true"
      - "traefik.docker.network=web"
      - "traefik.http.routers.todo-obbytodo.entrypoints=https"
--- a/stacks/perilous/docker-compose.yml
+++ b/stacks/perilous/docker-compose.yml
@@ -12,6 +12,7 @@ services:
    networks:
      - web
    labels:
      - "com.ghost.tel/stack-type=prod"
      - "traefik.enable=true"
      - "traefik.http.routers.perilous.entrypoints=https"
      - "traefik.http.routers.perilous.rule=Host(`perilous.dev`) || Host(`www.perilous.dev`) || HostRegexp(`^.+\\.perilous\\.dev$$`)"
--- a/stacks/radicale/docker-compose.yml
+++ b/stacks/radicale/docker-compose.yml
@@ -25,6 +25,7 @@ services:
    volumes:
      - ./data:/data
    labels:
      - "com.ghost.tel/stack-type=prod"
      - "traefik.enable=true"
      - "traefik.http.routers.radicale.entrypoints=https"
      - "traefik.http.routers.radicale.rule=Host(`radicale.${DOMAIN}`)"
--- a/stacks/ramz/docker-compose.yml
+++ b/stacks/ramz/docker-compose.yml
@@ -13,6 +13,7 @@ services:
    networks:
      - web
    labels:
      - "com.ghost.tel/stack-type=prod"
      - "traefik.enable=true"
      - "traefik.http.routers.ramz-secure.entrypoints=https,http"
      - "traefik.http.routers.ramz-secure.rule=Host(`parker.ramz.cc`)"
--- a/stacks/registry/docker-compose.yml
+++ b/stacks/registry/docker-compose.yml
@@ -14,6 +14,7 @@ services:
      interval: 60s
      timeout: 10s
    labels:
      - "com.ghost.tel/stack-type=prod"
      - "traefik.enable=true"
      - "traefik.http.routers.registry.entrypoints=https"
      - "traefik.http.routers.registry.rule=Host(`registry.${DOMAIN}`)"
--- a/stacks/rsshub-public/docker-compose.yml
+++ b/stacks/rsshub-public/docker-compose.yml
@@ -0,0 +1,22 @@
 services:
  rsshub:
    image: diygod/rsshub:latest
    container_name: rsshub
    restart: unless-stopped
    labels:
      - "com.ghost.tel/stack-type=public"
      - "traefik.enable=true"
      - "traefik.http.routers.rsshub.entrypoints=https"
      - "traefik.http.routers.rsshub.rule=Host(`rsshub.uplink.tel`)"
      - "traefik.http.routers.rsshub.tls.certresolver=http"
      - "traefik.http.services.rsshub.loadbalancer.server.port=1200"
    environment:
      - CACHE_EXPIRE=3600
    expose:
      - "1200"
    networks:
      - web
 networks:
  web:
    external: true
--- a/stacks/searx-public/docker-compose.yml
+++ b/stacks/searx-public/docker-compose.yml
@@ -0,0 +1,54 @@
 services:
  redis:
    image: redis:alpine
    container_name: searx-redis
    restart: unless-stopped
    command: redis-server --save "" --appendonly "no"
    tmpfs:
      - /var/lib/redis
    cap_drop:
      - ALL
    cap_add:
      - SETGID
      - SETUID
      - DAC_OVERRIDE
    networks:
      - default
  searxng:
    image: searxng/searxng:latest
    container_name: searxng
    restart: unless-stopped
    labels:
      - "com.ghost.tel/stack-type=public"
      - "traefik.enable=true"
      - "traefik.http.routers.searx.entrypoints=https"
      - "traefik.http.routers.searx.rule=Host(`searx.uplink.tel`)"
      - "traefik.http.routers.searx.tls.certresolver=http"
      - "traefik.http.services.searx.loadbalancer.server.port=8080"
    environment:
      - SEARXNG_BASE_URL=https://searx.uplink.tel/
    volumes:
      - ./config:/etc/searxng:rw
    expose:
      - "8080"
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"
    depends_on:
      - redis
    networks:
      - web
      - default
 networks:
  web:
    external: true
--- a/stacks/smokeping/docker-compose.yml
+++ b/stacks/smokeping/docker-compose.yml
@@ -15,6 +15,7 @@ services:
    networks:
      - web
    labels:
      - "com.ghost.tel/stack-type=prod"
      - "org.opencontainers.image.source=https://gitea.ghost.tel/knight/docker-stacks"
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
--- a/stacks/snowflake/docker-compose.yml
+++ b/stacks/snowflake/docker-compose.yml
@@ -4,12 +4,8 @@ services:
    image: containers.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake:latest
    container_name: snowflake-proxy
    restart: unless-stopped
    labels:
      - "com.ghost.tel/stack-type=public"
    # For a full list of Snowflake Proxy CLI parameters see
    # https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/tree/main/proxy?ref_type=heads#running-a-standalone-snowflake-proxy
    #command: [ "-ephemeral-ports-range", "30000:60000" ]
    watchtower:
        image: containrrr/watchtower
        container_name: watchtower
        volumes:
          - /var/run/docker.sock:/var/run/docker.sock
        command: snowflake-proxy
--- a/stacks/syncthing/docker-compose.yml
+++ b/stacks/syncthing/docker-compose.yml
@@ -19,6 +19,7 @@ services:
    networks:
      - web
    labels:
      - "com.ghost.tel/stack-type=dev-only"
      - "traefik.enable=true"
      - "traefik.http.routers.syncthing.entrypoints=https"
      - "traefik.http.routers.syncthing.rule=Host(`syncthing.${DOMAIN}`)"
--- a/stacks/szurubooru/docker-compose.yml
+++ b/stacks/szurubooru/docker-compose.yml
@@ -3,9 +3,10 @@
 ## Use this as a template to set up docker compose, or as guide to set up other
 ## orchestration services
 services:
  server:
    image: szurubooru/server:latest
    labels:
      - "com.ghost.tel/stack-type=dev-only"
    depends_on:
      - sql
    environment:
--- a/stacks/traefik/docker-compose.yml
+++ b/stacks/traefik/docker-compose.yml
@@ -5,6 +5,8 @@ services:
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    labels:
      - "com.ghost.tel/stack-type=prod"
    networks:
      - web
    ports:
--- a/stacks/wallabag/docker-compose.yml
+++ b/stacks/wallabag/docker-compose.yml
@@ -25,6 +25,7 @@ services:
    volumes:
      - ./images:/var/www/wallabag/web/assets/images
    labels:
      - "com.ghost.tel/stack-type=prod"
      - "traefik.enable=true"
      - "traefik.http.routers.wallabag.entrypoints=https"
      - "traefik.http.routers.wallabag.rule=Host(`wallabag.${DOMAIN}`)"
--- a/stacks/watchtower/docker-compose.yml
+++ b/stacks/watchtower/docker-compose.yml
@@ -3,6 +3,8 @@ services:
    image: containrrr/watchtower:latest
    container_name: watchtower
    restart: unless-stopped
    labels:
      - "com.ghost.tel/stack-type=prod"
    environment:
      - TZ=America/New_York
      - DOCKER_API_VERSION=1.44
--- a/stacks/wikijs-public/.env.template
+++ b/stacks/wikijs-public/.env.template
@@ -0,0 +1 @@
 WIKIJS_DB_PASSWORD=changeme
--- a/stacks/wikijs-public/docker-compose.yml
+++ b/stacks/wikijs-public/docker-compose.yml
@@ -0,0 +1,45 @@
 services:
  db:
    image: postgres:11-alpine
    container_name: wikijs-db
    restart: unless-stopped
    labels:
      - "com.ghost.tel/stack-type=public"
    environment:
      POSTGRES_DB: wiki
      POSTGRES_USER: wikijs
      POSTGRES_PASSWORD: ${WIKIJS_DB_PASSWORD}
    volumes:
      - ./db-data:/var/lib/postgresql/data
    logging:
      driver: "none"
  wiki:
    image: requarks/wiki:2
    container_name: wikijs
    restart: unless-stopped
    labels:
      - "com.ghost.tel/stack-type=public"
      - "traefik.enable=true"
      - "traefik.http.routers.wikijs.entrypoints=https"
      - "traefik.http.routers.wikijs.rule=Host(`wiki.sequela.tel`) || Host(`wiki.sequela.uk`)"
      - "traefik.http.routers.wikijs.tls.certresolver=http"
      - "traefik.http.services.wikijs.loadbalancer.server.port=3000"
    environment:
      DB_TYPE: postgres
      DB_HOST: db
      DB_PORT: 5432
      DB_USER: wikijs
      DB_PASS: ${WIKIJS_DB_PASSWORD}
      DB_NAME: wiki
    expose:
      - "3000"
    depends_on:
      - db
    networks:
      - web
      - default
 networks:
  web:
    external: true
--- a/stacks/xbackbone/docker-compose.yml
+++ b/stacks/xbackbone/docker-compose.yml
@@ -14,6 +14,7 @@ services:
    networks:
      - web
    labels:
      - "com.ghost.tel/stack-type=prod"
      - "traefik.enable=true"
      - "traefik.http.routers.xbackbone.entrypoints=https"
      - "traefik.http.routers.xbackbone.rule=Host(`xb.${DOMAIN}`)"
--- a/stacks/zerotier/docker-compose.yml
+++ b/stacks/zerotier/docker-compose.yml
@@ -13,6 +13,7 @@ services:
    networks:
      - web
    labels:
      - "com.ghost.tel/stack-type=prod"
      - "traefik.enable=true"
      - "traefik.http.routers.zerotier.entrypoints=https"
      - "traefik.http.routers.zerotier.rule=Host(`zerotierui.${DOMAIN}`)"
		`@@ -0,0 +1,2 @@`
							`MATOMO_MYSQL_ROOT_PASSWORD=changeme`
							`MATOMO_MYSQL_PASSWORD=changeme`