Add hourly restart sidecar for invidious and companion

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitea/workflows/deploy.yml

@@ -27,15 +27,32 @@ jobs:
           STACKS=$(git diff --name-only HEAD~1 HEAD 2>/dev/null | grep '^stacks/' | cut -d'/' -f2 | sort -u || echo "")
 
           if [ -z "$STACKS" ]; then
-            echo "No stacks changed, deploying all..."
+            echo "No stacks changed, checking all stacks..."
             STACKS=$(ls stacks/)
           fi
 
-          echo "Deploying: $STACKS"
+          echo "Evaluating stacks: $STACKS"
+          echo ""
 
           for stack in $STACKS; do
+            COMPOSE_FILE="stacks/$stack/docker-compose.yml"
+
+            # Check stack-type label
+            STACK_TYPE=$(grep -o 'stack-type=[^"]*' "$COMPOSE_FILE" 2>/dev/null | head -1 | cut -d= -f2)
+
+            if [ -z "$STACK_TYPE" ]; then
+              echo "⚠️  SKIP $stack - no stack-type label found"
+              continue
+            fi
+
+            # On prod, only deploy 'prod' and 'public' stacks
+            if [ "$STACK_TYPE" != "prod" ] && [ "$STACK_TYPE" != "public" ]; then
+              echo "⏭️  SKIP $stack - stack-type=$STACK_TYPE (not for prod)"
+              continue
+            fi
+
             echo "=========================================="
-            echo "Deploying $stack..."
+            echo "Deploying $stack (stack-type=$STACK_TYPE)..."
             echo "=========================================="
 
             STACK_DIR="${{ env.STACKS_DIR }}/$stack"
@@ -44,9 +61,10 @@ jobs:
             # Copy files
             sudo cp -r stacks/$stack/* "$STACK_DIR/"
 
-            # Create .env from template if exists
+            # Create .env from template if .env doesn't exist
-            if [ -f "$STACK_DIR/.env.template" ]; then
+            if [ -f "$STACK_DIR/.env.template" ] && [ ! -f "$STACK_DIR/.env" ]; then
-              sudo envsubst < "$STACK_DIR/.env.template" > "$STACK_DIR/.env"
+              echo "Creating .env from template..."
+              sudo sh -c "DOMAIN=$DOMAIN envsubst < '$STACK_DIR/.env.template' > '$STACK_DIR/.env'"
             fi
 
             # Deploy
@@ -59,11 +77,11 @@ jobs:
           done
 
       - name: Show running containers
-        run: sudo docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | head -20
+        run: sudo docker ps --format "table {{.Names}}\t{{.Status}}" | head -30 || true
 
   deploy-dev:
     if: ${{ github.ref == 'refs/heads/dev' }}
-    runs-on: ubuntu-dev
+    runs-on: ubuntu-dev:host
     steps:
       - uses: actions/checkout@v4
         with:
@@ -77,15 +95,32 @@ jobs:
           STACKS=$(git diff --name-only HEAD~1 HEAD 2>/dev/null | grep '^stacks/' | cut -d'/' -f2 | sort -u || echo "")
 
           if [ -z "$STACKS" ]; then
-            echo "No stacks changed, deploying all..."
+            echo "No stacks changed, checking all stacks..."
             STACKS=$(ls stacks/)
           fi
 
-          echo "Deploying: $STACKS"
+          echo "Evaluating stacks: $STACKS"
+          echo ""
 
           for stack in $STACKS; do
+            COMPOSE_FILE="stacks/$stack/docker-compose.yml"
+
+            # Check stack-type label
+            STACK_TYPE=$(grep -o 'stack-type=[^"]*' "$COMPOSE_FILE" 2>/dev/null | head -1 | cut -d= -f2)
+
+            if [ -z "$STACK_TYPE" ]; then
+              echo "⚠️  SKIP $stack - no stack-type label found"
+              continue
+            fi
+
+            # On dev, only deploy 'dev-only' stacks
+            if [ "$STACK_TYPE" != "dev-only" ]; then
+              echo "⏭️  SKIP $stack - stack-type=$STACK_TYPE (not for dev)"
+              continue
+            fi
+
             echo "=========================================="
-            echo "Deploying $stack..."
+            echo "Deploying $stack (stack-type=$STACK_TYPE)..."
             echo "=========================================="
 
             STACK_DIR="${{ env.STACKS_DIR }}/$stack"
@@ -94,9 +129,10 @@ jobs:
             # Copy files
             sudo cp -r stacks/$stack/* "$STACK_DIR/"
 
-            # Create .env from template if exists
+            # Create .env from template if .env doesn't exist
-            if [ -f "$STACK_DIR/.env.template" ]; then
+            if [ -f "$STACK_DIR/.env.template" ] && [ ! -f "$STACK_DIR/.env" ]; then
-              sudo envsubst < "$STACK_DIR/.env.template" > "$STACK_DIR/.env"
+              echo "Creating .env from template..."
+              sudo sh -c "DOMAIN=$DOMAIN envsubst < '$STACK_DIR/.env.template' > '$STACK_DIR/.env'"
             fi
 
             # Deploy
@@ -109,4 +145,4 @@ jobs:
           done
 
       - name: Show running containers
-        run: sudo docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | head -20
+        run: sudo docker ps --format "table {{.Names}}\t{{.Status}}" | head -30 || true

README.md

@@ -18,6 +18,7 @@ stacks/
 ├── perilous/         # Blog/website
 ├── ramz/             # Go web app
 ├── bookclub/         # Form mailer
+├── invidious/        # YouTube frontend
 ├── watchtower/       # Auto container updates
 ├── dockge/           # Container management UI
 └── smokeping/        # Network monitoring
@@ -96,6 +97,13 @@ Set these in Gitea → Repository → Settings → Actions → Secrets:
 |--------|-------------|
 | `PERILOUS_CODE_SERVER_PASSWORD` | Code-server password |
 
+### Invidious
+| Secret | Description |
+|--------|-------------|
+| `INVIDIOUS_DB_PASSWORD` | PostgreSQL password |
+| `INVIDIOUS_HMAC_KEY` | Generate: `openssl rand -hex 16` |
+| `INVIDIOUS_COMPANION_KEY` | **Must be exactly 16 chars**: `openssl rand -base64 12` |
+
 ## Runner Setup
 
 The workflow requires a self-hosted runner on the prod server:
@@ -139,3 +147,5 @@ act_runner daemon
    ```
 
 4. Then deploy other stacks as needed.
+# Runner test Wed 21 Jan 2026 12:08:53 AM EST
+# Runner test 2 Wed 21 Jan 2026 12:11:37 AM EST

scripts/test-services.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+# Test all service URLs to verify they're responding
+# Note: Some services may not be deployed yet - failures indicate either
+# the service isn't running or routing isn't configured
+
+DOMAIN="ghost.tel"
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[0;33m'
+NC='\033[0m' # No Color
+
+# All service URLs
+URLS=(
+    # ghost.tel services
+    "https://authentik.$DOMAIN"
+    "https://bookclub.$DOMAIN"
+    "https://brain.$DOMAIN"
+    "https://change.$DOMAIN"
+    "https://dockge.$DOMAIN"
+    "https://files.$DOMAIN"
+    "https://ghost.$DOMAIN"
+    "https://gitea.$DOMAIN"
+    "https://gollum.$DOMAIN"
+    "https://inv.$DOMAIN"
+    "https://memento.$DOMAIN"
+    "https://radicale.$DOMAIN"
+    "https://registry.$DOMAIN/v2/"
+    "https://smoke.$DOMAIN"
+    "https://syncthing.$DOMAIN"
+    "https://wallabag.$DOMAIN"
+    "https://xb.$DOMAIN"
+    "https://zerotierui.$DOMAIN"
+
+    # perilous.dev
+    "https://perilous.dev"
+    "https://www.perilous.dev"
+    "https://cs.perilous.dev"
+    "https://forest.perilous.dev"
+    "https://chapel.perilous.dev"
+
+    # uplink.tel (proxied via docker-public)
+    "https://nitter.uplink.tel"
+    "https://invidious.uplink.tel"
+    "https://searx.uplink.tel"
+    "https://freshrss.uplink.tel"
+    "https://rsshub.uplink.tel"
+    "https://radio.uplink.tel"
+
+    # sequela.tel (proxied via docker-public)
+    "https://wiki.sequela.tel"
+    "https://matomo.sequela.tel"
+
+    # Other domains
+    "https://spider.ghost.tel"
+    "https://tlc.ghost.tel"
+    "https://thislittlecorner.net"
+    "https://parker.ramz.cc"
+)
+
+echo "Testing ${#URLS[@]} service URLs..."
+echo ""
+
+PASS=0
+FAIL=0
+
+for url in "${URLS[@]}"; do
+    # Get HTTP status code with 5 second timeout
+    status=$(curl -s -o /dev/null -w "%{http_code}" --max-time 5 "$url" 2>/dev/null)
+
+    if [[ -z "$status" || "$status" == "000" ]]; then
+        echo -e "${RED}FAIL${NC} $url - Connection failed/timeout"
+        ((FAIL++))
+    elif [[ "$status" =~ ^[23] ]]; then
+        echo -e "${GREEN}PASS${NC} $url - HTTP $status"
+        ((PASS++))
+    elif [[ "$status" =~ ^4 ]]; then
+        # 401/403 might be expected for auth-protected services
+        if [[ "$status" == "401" || "$status" == "403" ]]; then
+            echo -e "${YELLOW}AUTH${NC} $url - HTTP $status (auth required)"
+            ((PASS++))
+        else
+            echo -e "${RED}FAIL${NC} $url - HTTP $status"
+            ((FAIL++))
+        fi
+    else
+        echo -e "${RED}FAIL${NC} $url - HTTP $status"
+        ((FAIL++))
+    fi
+done
+
+echo ""
+echo "----------------------------------------"
+echo -e "Results: ${GREEN}$PASS passed${NC}, ${RED}$FAIL failed${NC}"
+exit $FAIL

stacks/analoggallery-public/docker-compose.yml

@@ -0,0 +1,26 @@
+services:
+  gallery:
+    build:
+      context: https://gitea.ghost.tel/knight/analogGallery.git#main
+    container_name: analoggallery
+    restart: unless-stopped
+    labels:
+      - "com.ghost.tel/stack-type=public"
+      - "traefik.enable=true"
+      - "traefik.http.routers.analoggallery.entrypoints=https"
+      - "traefik.http.routers.analoggallery.rule=Host(`analog.uplink.tel`)"
+      - "traefik.http.routers.analoggallery.tls.certresolver=http"
+      - "traefik.http.services.analoggallery.loadbalancer.server.port=3000"
+    environment:
+      - NODE_ENV=production
+    volumes:
+      - ./images:/app/images
+      - ./images.json:/app/images.json
+    expose:
+      - "3000"
+    networks:
+      - web
+
+networks:
+  web:
+    external: true

stacks/astro/.env.template

@@ -0,0 +1 @@
+DOMAIN=${DOMAIN}

stacks/astro/docker-compose.yml

@@ -0,0 +1,23 @@
+services:
+  astro:
+    image: nginx:alpine
+    container_name: astro
+    restart: unless-stopped
+    expose:
+      - 80
+    volumes:
+      - ./dist:/usr/share/nginx/html:ro
+      - ./nginx-cors.conf:/etc/nginx/conf.d/default.conf:ro
+    networks:
+      - web
+    labels:
+      - "com.ghost.tel/stack-type=public"
+      - "traefik.enable=true"
+      - "traefik.http.routers.astro.entrypoints=https"
+      - "traefik.http.routers.astro.rule=Host(`e.field.${DOMAIN}`)"
+      - "traefik.http.routers.astro.tls.certresolver=http"
+      - "traefik.http.services.astro.loadbalancer.server.port=80"
+
+networks:
+  web:
+    external: true

stacks/astro/nginx-cors.conf

@@ -0,0 +1,27 @@
+server {
+    listen 80;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+
+        # CORS configuration
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
+        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
+
+        # Handle preflight requests
+        if ($request_method = 'OPTIONS') {
+            add_header 'Access-Control-Allow-Origin' '*';
+            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+            add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+            add_header 'Access-Control-Max-Age' 1728000;
+            add_header 'Content-Type' 'text/plain; charset=utf-8';
+            add_header 'Content-Length' 0;
+            return 204;
+        }
+
+        try_files $uri $uri/ =404;
+    }
+}

stacks/authentik/docker-compose.yml

@@ -3,6 +3,8 @@ services:
     image: ghcr.io/goauthentik/server:latest
     container_name: authentik-server
     restart: unless-stopped
+    ports:
+      - "9000:9000"
     command: server
     environment:
       AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
@@ -23,11 +25,16 @@ services:
       - web
       - default
     labels:
+      - "com.ghost.tel/stack-type=prod"
       - "traefik.enable=true"
       - "traefik.http.routers.authentik.entrypoints=https"
       - "traefik.http.routers.authentik.rule=Host(`authentik.${DOMAIN}`)"
       - "traefik.http.routers.authentik.tls.certresolver=http"
       - "traefik.http.services.authentik.loadbalancer.server.port=9000"
+      - "traefik.http.routers.authentik-outpost.entrypoints=https"
+      - "traefik.http.routers.authentik-outpost.rule=HostRegexp(`{subdomain:[a-z0-9]+}.ghost.tel`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      - "traefik.http.routers.authentik-outpost.service=authentik"
+      - "traefik.http.routers.authentik-outpost.tls.certresolver=http"
 
   worker:
     image: ghcr.io/goauthentik/server:latest
@@ -52,7 +59,7 @@ services:
       - redis
 
   postgresql:
-    image: postgres:15-alpine
+    image: postgres:12-alpine
     container_name: authentik-postgres
     restart: unless-stopped
     environment:

stacks/bookclub/docker-compose.yml

@@ -6,6 +6,7 @@ services:
     env_file:
       - .env
     labels:
+      - "com.ghost.tel/stack-type=dev-only"
       - "traefik.enable=true"
       - "traefik.http.routers.form-mailer.rule=Host(`bookclub.${DOMAIN}`)"
       - "traefik.http.routers.form-mailer.entrypoints=https"

stacks/brain/docker-compose.yml

@@ -11,11 +11,12 @@ services:
     networks:
       - web
     labels:
+      - "com.ghost.tel/stack-type=prod"
       - "traefik.enable=true"
       - "traefik.http.routers.brain.entrypoints=https"
       - "traefik.http.routers.brain.rule=Host(`brain.${DOMAIN}`)"
       - "traefik.http.routers.brain.tls.certresolver=http"
-      - "traefik.http.routers.brain.middlewares=auth@file"
+      - "traefik.http.routers.brain.middlewares=auth@docker"
 
   sftp:
     image: atmoz/sftp

stacks/changedetection/docker-compose.yml

@@ -13,11 +13,12 @@ services:
     networks:
       - web
     labels:
+      - "com.ghost.tel/stack-type=prod"
       - "traefik.enable=true"
       - "traefik.http.routers.changedetection.entrypoints=https"
       - "traefik.http.routers.changedetection.rule=Host(`change.${DOMAIN}`)"
       - "traefik.http.routers.changedetection.tls.certresolver=http"
-      - "traefik.http.routers.changedetection.middlewares=auth@file"
+      - "traefik.http.routers.changedetection.middlewares=auth@docker"
     depends_on:
       - playwright-chrome
 

stacks/dockge/docker-compose.yml

@@ -4,7 +4,7 @@ services:
     container_name: dockge
     restart: unless-stopped
     ports:
-      - 5001:5001
+      - 5002:5001
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - ./data:/app/data
@@ -14,6 +14,7 @@ services:
     networks:
       - web
     labels:
+      - "com.ghost.tel/stack-type=dev-only"
       - "traefik.enable=true"
       - "traefik.http.routers.dockge.rule=Host(`dockge.${DOMAIN}`)"
       - "traefik.http.routers.dockge.entrypoints=https"

stacks/filebrowser/docker-compose.yml

@@ -11,6 +11,7 @@ services:
     networks:
       - web
     labels:
+      - "com.ghost.tel/stack-type=dev-only"
       - "traefik.enable=true"
       - "traefik.http.routers.filebrowser.entrypoints=https"
       - "traefik.http.routers.filebrowser.rule=Host(`files.${DOMAIN}`)"

stacks/freshrss-public/docker-compose.yml

@@ -0,0 +1,23 @@
+services:
+  freshrss:
+    image: lscr.io/linuxserver/freshrss:latest
+    container_name: freshrss
+    restart: unless-stopped
+    labels:
+      - "com.ghost.tel/stack-type=public"
+      - "traefik.enable=true"
+      - "traefik.http.routers.freshrss.entrypoints=https"
+      - "traefik.http.routers.freshrss.rule=Host(`freshrss.uplink.tel`)"
+      - "traefik.http.routers.freshrss.tls.certresolver=http"
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=America/New_York
+    volumes:
+      - ./config:/config
+    networks:
+      - web
+
+networks:
+  web:
+    external: true

stacks/ghost/docker-compose.yml

@@ -18,6 +18,7 @@ services:
     volumes:
       - ./content:/var/lib/ghost/content
     labels:
+      - "com.ghost.tel/stack-type=prod"
       - "traefik.enable=true"
       - "traefik.http.routers.ghost.entrypoints=https"
       - "traefik.http.routers.ghost.rule=Host(`ghost.${DOMAIN}`)"

stacks/gitea/.trigger

@@ -0,0 +1 @@
+# Trigger deploy 1768957434

stacks/gitea/docker-compose.yml

@@ -10,6 +10,7 @@ services:
       - "22"
     ports:
       - "2245:22"
+      - "3001:3000"
     depends_on:
       - db
     environment:
@@ -21,6 +22,7 @@ services:
       - default
       - web
     labels:
+      - "com.ghost.tel/stack-type=prod"
       - "traefik.enable=true"
       - "traefik.http.routers.gitea.entrypoints=https"
       - "traefik.http.routers.gitea.rule=Host(`gitea.${DOMAIN}`)"
@@ -52,6 +54,7 @@ services:
     environment:
       - GITEA_INSTANCE_URL=https://gitea.${DOMAIN}
       - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_TOKEN}
+      - GITEA_RUNNER_LABELS=ubuntu-prod:host
 
 networks:
   web:

stacks/gollum/docker-compose.yml

@@ -13,11 +13,12 @@ services:
     networks:
       - web
     labels:
+      - "com.ghost.tel/stack-type=prod"
       - "traefik.enable=true"
       - "traefik.http.routers.gollum.entrypoints=https"
       - "traefik.http.routers.gollum.rule=Host(`gollum.${DOMAIN}`)"
       - "traefik.http.routers.gollum.tls.certresolver=http"
-      - "traefik.http.routers.gollum.middlewares=auth@file"
+      - "traefik.http.routers.gollum.middlewares=auth@docker"
 
 networks:
   web:

stacks/homepage/docker-compose.yml

@@ -0,0 +1,28 @@
+services:
+  homepage:
+    image: nginx
+    container_name: homepage
+    restart: unless-stopped
+    volumes:
+      - ./html:/usr/share/nginx/html  # Mount your content directory
+      - ./templates:/etc/nginx/templates  # Mount your templates directory
+    expose:
+      - "80"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.homepage-secure.entrypoints=https,http"
+      - "traefik.http.routers.homepage-secure.rule=Host(`ghost.tel`)"
+      - "traefik.http.routers.homepage-secure.tls.certresolver=http"
+      - "traefik.http.middlewares.watch-redirect.redirectregex.regex=https?://ghost.tel/watch(.*)"
+      - "traefik.http.middlewares.watch-redirect.redirectregex.replacement=https://invid.ghost.tel/watch$${1}"
+      - "traefik.http.middlewares.watch-redirect.redirectregex.permanent=true"
+      - "traefik.http.routers.homepage-secure.middlewares=watch-redirect"
+#      - "traefik.http.routers.homepage-secure.middlewares=auth@file"
+    environment:
+      - NGINX_HOST=ghost.tel
+      - NGINX_PORT=80
+    networks:
+      - web
+networks:
+  web:
+    external: true

stacks/invidious/.env.template

@@ -1,5 +1,4 @@
 DOMAIN=${DOMAIN}
 INVIDIOUS_DB_PASSWORD=${INVIDIOUS_DB_PASSWORD}
-INVIDIOUS_VISITOR_DATA=${INVIDIOUS_VISITOR_DATA}
-INVIDIOUS_PO_TOKEN=${INVIDIOUS_PO_TOKEN}
 INVIDIOUS_HMAC_KEY=${INVIDIOUS_HMAC_KEY}
+INVIDIOUS_COMPANION_KEY=${INVIDIOUS_COMPANION_KEY}

stacks/invidious/config/sql/annotations.sql

@@ -0,0 +1,12 @@
+-- Table: public.annotations
+
+-- DROP TABLE public.annotations;
+
+CREATE TABLE IF NOT EXISTS public.annotations
+(
+  id text NOT NULL,
+  annotations xml,
+  CONSTRAINT annotations_id_key UNIQUE (id)
+);
+
+GRANT ALL ON TABLE public.annotations TO current_user;

stacks/invidious/config/sql/channel_videos.sql

@@ -0,0 +1,30 @@
+-- Table: public.channel_videos
+
+-- DROP TABLE public.channel_videos;
+
+CREATE TABLE IF NOT EXISTS public.channel_videos
+(
+  id text NOT NULL,
+  title text,
+  published timestamp with time zone,
+  updated timestamp with time zone,
+  ucid text,
+  author text,
+  length_seconds integer,
+  live_now boolean,
+  premiere_timestamp timestamp with time zone,
+  views bigint,
+  CONSTRAINT channel_videos_id_key UNIQUE (id)
+);
+
+GRANT ALL ON TABLE public.channel_videos TO current_user;
+
+-- Index: public.channel_videos_ucid_idx
+
+-- DROP INDEX public.channel_videos_ucid_idx;
+
+CREATE INDEX IF NOT EXISTS channel_videos_ucid_idx
+  ON public.channel_videos
+  USING btree
+  (ucid COLLATE pg_catalog."default");
+

stacks/invidious/config/sql/channels.sql

@@ -0,0 +1,25 @@
+-- Table: public.channels
+
+-- DROP TABLE public.channels;
+
+CREATE TABLE IF NOT EXISTS public.channels
+(
+  id text NOT NULL,
+  author text,
+  updated timestamp with time zone,
+  deleted boolean,
+  subscribed timestamp with time zone,
+  CONSTRAINT channels_id_key UNIQUE (id)
+);
+
+GRANT ALL ON TABLE public.channels TO current_user;
+
+-- Index: public.channels_id_idx
+
+-- DROP INDEX public.channels_id_idx;
+
+CREATE INDEX IF NOT EXISTS channels_id_idx
+  ON public.channels
+  USING btree
+  (id COLLATE pg_catalog."default");
+

stacks/invidious/config/sql/nonces.sql

@@ -0,0 +1,22 @@
+-- Table: public.nonces
+
+-- DROP TABLE public.nonces;
+
+CREATE TABLE IF NOT EXISTS public.nonces
+(
+  nonce text,
+  expire timestamp with time zone,
+  CONSTRAINT nonces_id_key UNIQUE (nonce)
+);
+
+GRANT ALL ON TABLE public.nonces TO current_user;
+
+-- Index: public.nonces_nonce_idx
+
+-- DROP INDEX public.nonces_nonce_idx;
+
+CREATE INDEX IF NOT EXISTS nonces_nonce_idx
+  ON public.nonces
+  USING btree
+  (nonce COLLATE pg_catalog."default");
+

stacks/invidious/config/sql/playlist_videos.sql

@@ -0,0 +1,19 @@
+-- Table: public.playlist_videos
+
+-- DROP TABLE public.playlist_videos;
+
+CREATE TABLE IF NOT EXISTS public.playlist_videos
+(
+    title text,
+    id text,
+    author text,
+    ucid text,
+    length_seconds integer,
+    published timestamptz,
+    plid text references playlists(id),
+    index int8,
+    live_now boolean,
+    PRIMARY KEY (index,plid)
+);
+
+GRANT ALL ON TABLE public.playlist_videos TO current_user;

stacks/invidious/config/sql/playlists.sql

@@ -0,0 +1,29 @@
+-- Type: public.privacy
+
+-- DROP TYPE public.privacy;
+
+CREATE TYPE public.privacy AS ENUM
+(
+    'Public',
+    'Unlisted',
+    'Private'
+);
+
+-- Table: public.playlists
+
+-- DROP TABLE public.playlists;
+
+CREATE TABLE IF NOT EXISTS public.playlists
+(
+    title text,
+    id text primary key,
+    author text,
+    description text,
+    video_count integer,
+    created timestamptz,
+    updated timestamptz,
+    privacy privacy,
+    index int8[]
+);
+
+GRANT ALL ON public.playlists TO current_user;

stacks/invidious/config/sql/session_ids.sql

@@ -0,0 +1,23 @@
+-- Table: public.session_ids
+
+-- DROP TABLE public.session_ids;
+
+CREATE TABLE IF NOT EXISTS public.session_ids
+(
+  id text NOT NULL,
+  email text,
+  issued timestamp with time zone,
+  CONSTRAINT session_ids_pkey PRIMARY KEY (id)
+);
+
+GRANT ALL ON TABLE public.session_ids TO current_user;
+
+-- Index: public.session_ids_id_idx
+
+-- DROP INDEX public.session_ids_id_idx;
+
+CREATE INDEX IF NOT EXISTS session_ids_id_idx
+  ON public.session_ids
+  USING btree
+  (id COLLATE pg_catalog."default");
+

stacks/invidious/config/sql/users.sql

@@ -0,0 +1,29 @@
+-- Table: public.users
+
+-- DROP TABLE public.users;
+
+CREATE TABLE IF NOT EXISTS public.users
+(
+  updated timestamp with time zone,
+  notifications text[],
+  subscriptions text[],
+  email text NOT NULL,
+  preferences text,
+  password text,
+  token text,
+  watched text[],
+  feed_needs_update boolean,
+  CONSTRAINT users_email_key UNIQUE (email)
+);
+
+GRANT ALL ON TABLE public.users TO current_user;
+
+-- Index: public.email_unique_idx
+
+-- DROP INDEX public.email_unique_idx;
+
+CREATE UNIQUE INDEX IF NOT EXISTS email_unique_idx
+  ON public.users
+  USING btree
+  (lower(email) COLLATE pg_catalog."default");
+

stacks/invidious/config/sql/videos.sql

@@ -0,0 +1,23 @@
+-- Table: public.videos
+
+-- DROP TABLE public.videos;
+
+CREATE UNLOGGED TABLE IF NOT EXISTS public.videos
+(
+  id text NOT NULL,
+  info text,
+  updated timestamp with time zone,
+  CONSTRAINT videos_pkey PRIMARY KEY (id)
+);
+
+GRANT ALL ON TABLE public.videos TO current_user;
+
+-- Index: public.id_idx
+
+-- DROP INDEX public.id_idx;
+
+CREATE UNIQUE INDEX IF NOT EXISTS id_idx
+  ON public.videos
+  USING btree
+  (id COLLATE pg_catalog."default");
+

stacks/invidious/docker-compose.yml

@@ -1,10 +1,8 @@
 services:
   invidious:
-    image: quay.io/invidious/invidious:latest
+    image: quay.io/invidious/invidious:master
     container_name: invidious
     restart: unless-stopped
-    ports:
-      - "3001:3000"
     environment:
       INVIDIOUS_CONFIG: |
         db:
@@ -14,45 +12,96 @@ services:
           host: invidious-db
           port: 5432
         check_tables: true
-        signature_server: inv_sig_helper:12999
+        invidious_companion:
-        visitor_data: ${INVIDIOUS_VISITOR_DATA}
+          - private_url: "http://invidious-companion:8282/companion"
-        po_token: ${INVIDIOUS_PO_TOKEN}
+            public_url: "https://inv.${DOMAIN}"
+        invidious_companion_key: "${INVIDIOUS_COMPANION_KEY}"
+        external_port: 443
+        domain: inv.${DOMAIN}
+        https_only: true
         hmac_key: "${INVIDIOUS_HMAC_KEY}"
+        hsts: false
+        log_level: Info
+    healthcheck:
+      test: wget -nv --tries=1 --spider "http://127.0.0.1:3000/api/v1/search?q=test" || exit 1
+      interval: 30s
+      timeout: 5s
+      retries: 2
     logging:
       options:
         max-size: "1G"
         max-file: "4"
     depends_on:
       - invidious-db
+    deploy:
+      resources:
+        limits:
+          cpus: '1'
+          memory: 2G
     labels:
+      - "com.ghost.tel/stack-type=public"
       - "traefik.enable=true"
-      - "traefik.http.services.invidious.loadbalancer.server.port=3000"
+      - "traefik.http.services.invid.loadbalancer.server.port=3000"
-      - "traefik.http.routers.invidious.entrypoints=https"
+      - "traefik.http.routers.invid.entrypoints=http,https"
-      - "traefik.http.routers.invidious.rule=Host(`invid.${DOMAIN}`, `i.${DOMAIN}`)"
+      - "traefik.http.routers.invid.rule=Host(`inv.${DOMAIN}`) && !(Path(`/latest_version`) || PathPrefix(`/api/manifest/dash/id/`) || PathPrefix(`/videoplayback`) || PathPrefix(`/download`))"
-      - "traefik.http.routers.invidious.tls.certresolver=http"
+      - "traefik.http.routers.invid.tls.certresolver=http"
     networks:
       - web
       - default
 
-  inv_sig_helper:
+  invidious-companion:
-    image: quay.io/invidious/inv-sig-helper:latest
+    image: quay.io/invidious/invidious-companion:latest
-    container_name: inv-sig-helper
+    container_name: invidious-companion
-    command: ["--tcp", "0.0.0.0:12999"]
-    environment:
-      - RUST_LOG=info
     restart: unless-stopped
+    environment:
+      - SERVER_SECRET_KEY=${INVIDIOUS_COMPANION_KEY}
+      - SERVER_BASE_URL=https://inv.${DOMAIN}/companion
+    logging:
+      options:
+        max-size: "1G"
+        max-file: "4"
     cap_drop:
       - ALL
     read_only: true
+    volumes:
+      - companion-cache:/var/tmp/youtubei.js:rw
     security_opt:
       - no-new-privileges:true
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 1G
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.invid-companion.loadbalancer.server.port=8282"
+      - "traefik.http.routers.invid-companion.entrypoints=http,https"
+      - "traefik.http.routers.invid-companion.rule=Host(`inv.${DOMAIN}`) && (Path(`/latest_version`) || PathPrefix(`/api/manifest/dash/id/`) || PathPrefix(`/youtubei/v1/player`) || PathPrefix(`/videoplayback`) || PathPrefix(`/download`))"
+      - "traefik.http.routers.invid-companion.tls.certresolver=http"
+      - "traefik.http.routers.invid-companion.middlewares=invid-companion-prefix@docker"
+    networks:
+      - web
+      - default
+
+  invidious-restarter:
+    image: docker:cli
+    container_name: invidious-restarter
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    command: sh -c "while true; do sleep 3600; docker restart invidious invidious-companion; done"
+    deploy:
+      resources:
+        limits:
+          cpus: '0.1'
+          memory: 32M
 
   invidious-db:
     image: postgres:14
     container_name: invidious-db
     restart: unless-stopped
     volumes:
-      - ./postgres:/var/lib/postgresql/data
+      - postgres-data:/var/lib/postgresql/data
       - ./config/sql:/config/sql
       - ./docker/init-invidious-db.sh:/docker-entrypoint-initdb.d/init-invidious-db.sh
     environment:
@@ -61,6 +110,15 @@ services:
       POSTGRES_PASSWORD: ${INVIDIOUS_DB_PASSWORD}
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 1G
+
+volumes:
+  postgres-data:
+  companion-cache:
 
 networks:
   web:

stacks/invidious/docker/init-invidious-db.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+set -eou pipefail
+
+psql --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" < config/sql/channels.sql
+psql --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" < config/sql/videos.sql
+psql --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" < config/sql/channel_videos.sql
+psql --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" < config/sql/users.sql
+psql --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" < config/sql/session_ids.sql
+psql --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" < config/sql/nonces.sql
+psql --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" < config/sql/annotations.sql
+psql --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" < config/sql/playlists.sql
+psql --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" < config/sql/playlist_videos.sql

stacks/matomo-public/.env.template

@@ -0,0 +1,2 @@
+MATOMO_MYSQL_ROOT_PASSWORD=changeme
+MATOMO_MYSQL_PASSWORD=changeme

stacks/matomo-public/docker-compose.yml

@@ -0,0 +1,50 @@
+services:
+  db:
+    image: mariadb:latest
+    container_name: matomo-db
+    restart: unless-stopped
+    labels:
+      - "com.ghost.tel/stack-type=public"
+    command: --max-allowed-packet=64MB
+    environment:
+      MYSQL_ROOT_PASSWORD: ${MATOMO_MYSQL_ROOT_PASSWORD}
+      MYSQL_DATABASE: matomo
+      MYSQL_USER: matomo
+      MYSQL_PASSWORD: ${MATOMO_MYSQL_PASSWORD}
+    volumes:
+      - ./mysql:/var/lib/mysql
+
+  app:
+    image: matomo:latest
+    container_name: matomo
+    restart: unless-stopped
+    labels:
+      - "com.ghost.tel/stack-type=public"
+      - "traefik.enable=true"
+      - "traefik.http.routers.matomo.entrypoints=https"
+      - "traefik.http.routers.matomo.rule=Host(`matomo.sequela.tel`)"
+      - "traefik.http.routers.matomo.tls.certresolver=http"
+      - "traefik.http.services.matomo.loadbalancer.server.port=80"
+    environment:
+      MATOMO_DATABASE_HOST: db
+      MATOMO_DATABASE_ADAPTER: mysql
+      MATOMO_DATABASE_TABLES_PREFIX: matomo_
+      MATOMO_DATABASE_USERNAME: matomo
+      MATOMO_DATABASE_PASSWORD: ${MATOMO_MYSQL_PASSWORD}
+      MATOMO_DATABASE_DBNAME: matomo
+    volumes:
+      - matomo-data:/var/www/html
+    expose:
+      - "80"
+    depends_on:
+      - db
+    networks:
+      - web
+      - default
+
+volumes:
+  matomo-data:
+
+networks:
+  web:
+    external: true

stacks/memento/docker-compose.yml

@@ -11,6 +11,7 @@ services:
       - web
       - default
     labels:
+      - "com.ghost.tel/stack-type=prod"
       - "traefik.enable=true"
       - "traefik.http.routers.memento.entrypoints=https"
       - "traefik.http.routers.memento.rule=Host(`memento.${DOMAIN}`)"

stacks/meshmon/docker-compose.yml

@@ -2,6 +2,8 @@ services:
   meshmonitor:
     image: ghcr.io/yeraze/meshmonitor:latest
     container_name: meshmonitor
+    labels:
+      - "com.ghost.tel/stack-type=dev-only"
     ports:
       - "8383:3001"
     restart: unless-stopped

stacks/meshtastic-web/docker-compose.yml

@@ -3,5 +3,7 @@ services:
     image: ghcr.io/meshtastic/web:latest
     container_name: meshtastic-web
     restart: unless-stopped
+    labels:
+      - "com.ghost.tel/stack-type=dev-only"
     ports:
       - "8585:8080"

stacks/mllogwatcher/docker-compose.yml

@@ -1,8 +1,8 @@
-version: "3.9"
-
 services:
   grafana-alert-webhook:
     build: .
+    labels:
+      - "com.ghost.tel/stack-type=dev-only"
     env_file:
       - .env
     ports:

stacks/network-mcp/docker-compose.yml

@@ -1,11 +1,11 @@
-version: "3.9"
-
 services:
   frontend:
     build:
       context: .
       dockerfile: frontend/Dockerfile
     restart: always
+    labels:
+      - "com.ghost.tel/stack-type=dev-only"
     env_file:
       - .env
     environment:

stacks/obby/docker-compose.yml

@@ -3,6 +3,8 @@ services:
   obsidian:
     image: lscr.io/linuxserver/obsidian:latest
     container_name: obsidian
+    labels:
+      - "com.ghost.tel/stack-type=dev-only"
     security_opt:
       - seccomp:unconfined #optional
     environment:
@@ -14,7 +16,5 @@ services:
     ports:
       - 3002:3000
       - 3003:3001
-    devices:
-      - /dev/dri:/dev/dri #optional
     shm_size: "1gb"
     restart: unless-stopped

stacks/obsidian-tools/docker-compose.yml

@@ -18,12 +18,13 @@ services:
     depends_on:
       - syncthing
     labels:
+      - "com.ghost.tel/stack-type=dev-only"
       - "traefik.enable=true"
       - "traefik.docker.network=web"
       - "traefik.http.routers.todo-obbytodo.entrypoints=https"
       - "traefik.http.routers.todo-obbytodo.rule=Host(`shell.${DOMAIN}`) && PathPrefix(`/todo`)"
       - "traefik.http.routers.todo-obbytodo.tls.certresolver=http"
-      - "traefik.http.routers.todo-obbytodo.middlewares=todo-obbytodo-stripprefix@docker,dashboard-auth@file"
+      - "traefik.http.routers.todo-obbytodo.middlewares=todo-obbytodo-stripprefix@docker,dashboard-auth@docker"
       - "traefik.http.routers.todo-obbytodo.priority=100"
       - "traefik.http.middlewares.todo-obbytodo-stripprefix.stripPrefix.prefixes=/todo"
       - "traefik.http.services.todo-obbytodo.loadbalancer.server.port=3000"
@@ -31,7 +32,7 @@ services:
       - "traefik.http.routers.events-obbytodo.entrypoints=https"
       - "traefik.http.routers.events-obbytodo.rule=Host(`shell.${DOMAIN}`) && PathPrefix(`/events`)"
       - "traefik.http.routers.events-obbytodo.tls.certresolver=http"
-      - "traefik.http.routers.events-obbytodo.middlewares=dashboard-auth@file"
+      - "traefik.http.routers.events-obbytodo.middlewares=dashboard-auth@docker"
       - "traefik.http.routers.events-obbytodo.priority=100"
       - "traefik.http.routers.events-obbytodo.service=todo-obbytodo"
 
@@ -52,13 +53,18 @@ services:
       - syncthing
     networks:
       - web
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- 'http://127.0.0.1:3001/api/search?q=test' >/dev/null 2>&1 || exit 1"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
     labels:
       - "traefik.enable=true"
       - "traefik.docker.network=web"
       - "traefik.http.routers.shell-secure.entrypoints=https"
       - "traefik.http.routers.shell-secure.rule=Host(`shell.${DOMAIN}`)"
       - "traefik.http.routers.shell-secure.tls.certresolver=http"
-      - "traefik.http.routers.shell-secure.middlewares=dashboard-auth@file"
+      - "traefik.http.routers.shell-secure.middlewares=dashboard-auth@docker"
       - "traefik.http.services.shell-secure.loadbalancer.server.port=3033"
       - "traefik.http.routers.shell-secure.service=shell-secure"
 

stacks/perilous/Dockerfile

@@ -1,7 +1,7 @@
 FROM node:18-alpine
+RUN apk add --no-cache python3 make g++ vips-dev fontconfig ttf-dejavu
 WORKDIR /usr/src/app
-COPY package.json ./
+COPY content/package.json ./
 RUN npm install
-COPY server.js ./
 EXPOSE 3000
-CMD ["node", "server.js"]
+CMD ["node", "content/server.js"]

stacks/perilous/docker-compose.yml

@@ -3,40 +3,45 @@ services:
     build: .
     container_name: perilous-web
     restart: unless-stopped
-    ports:
+    expose:
-      - "3003:3000"
+      - "3000"
     volumes:
       - ./content:/usr/src/app/content
-    labels:
+    environment:
-      - "traefik.enable=true"
+      - EMAIL_PASSWORD=${PERILOUS_CODE_SERVER_PASSWORD}
-      - "traefik.http.routers.perilous-secure.entrypoints=https,http"
-      - "traefik.http.routers.perilous-secure.rule=Host(`chapel.perilous.dev`,`forest.perilous.dev`,`castle.perilous.dev`,`siege.perilous.dev`,`pass.perilous.dev`,`perilous.dev`,`www.perilous.dev`,`word.perilous.dev`,`mirror.perilous.dev`,`request.perilous.dev`,`the.chapel.perilous.dev`,`the.forest.perilous.dev`,`the.castle.perilous.dev`,`the.siege.perilous.dev`,`the.pass.perilous.dev`,`the.word.perilous.dev`,`the.mirror.perilous.dev`,`the.request.perilous.dev`,`the.adventure.perilous.dev`,`the.cs.perilous.dev`,`the.gallery.perilous.dev`,`gallery.perilous.dev`,`the.perilous.dev`,`ring.perilous.dev`,`the.ring.perilous.dev`,`autumn.perilous.dev`,`the.autumn.perilous.dev`)"
-      - "traefik.http.routers.perilous-secure.tls.certresolver=http"
     networks:
       - web
+    labels:
+      - "com.ghost.tel/stack-type=prod"
+      - "traefik.enable=true"
+      - "traefik.http.routers.perilous.entrypoints=https"
+      - "traefik.http.routers.perilous.rule=Host(`perilous.dev`) || Host(`www.perilous.dev`) || HostRegexp(`^.+\\.perilous\\.dev$$`)"
+      - "traefik.http.routers.perilous.tls.certresolver=http"
+      - "traefik.http.services.perilous.loadbalancer.server.port=3000"
 
   code-server:
     image: lscr.io/linuxserver/code-server:latest
     container_name: perilous-code-server
     restart: unless-stopped
+    expose:
+      - "8443"
     volumes:
       - ./content:/home/project
       - ./config:/config
-    ports:
-      - "8180:8443"
     environment:
       - PASSWORD=${PERILOUS_CODE_SERVER_PASSWORD}
       - PUID=1000
       - PGID=1000
       - PROXY_DOMAIN=cs.perilous.dev
       - DEFAULT_WORKSPACE=/home/project
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.pcs-secure.entrypoints=https,http"
-      - "traefik.http.routers.pcs-secure.rule=Host(`cs.perilous.dev`)"
-      - "traefik.http.routers.pcs-secure.tls.certresolver=http"
     networks:
       - web
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.perilous-cs.entrypoints=https"
+      - "traefik.http.routers.perilous-cs.rule=Host(`cs.perilous.dev`)"
+      - "traefik.http.routers.perilous-cs.tls.certresolver=http"
+      - "traefik.http.services.perilous-cs.loadbalancer.server.port=8443"
 
 networks:
   web:

stacks/radicale/docker-compose.yml

@@ -25,6 +25,7 @@ services:
     volumes:
       - ./data:/data
     labels:
+      - "com.ghost.tel/stack-type=prod"
       - "traefik.enable=true"
       - "traefik.http.routers.radicale.entrypoints=https"
       - "traefik.http.routers.radicale.rule=Host(`radicale.${DOMAIN}`)"

stacks/ramz/docker-compose.yml

@@ -13,6 +13,7 @@ services:
     networks:
       - web
     labels:
+      - "com.ghost.tel/stack-type=prod"
       - "traefik.enable=true"
       - "traefik.http.routers.ramz-secure.entrypoints=https,http"
       - "traefik.http.routers.ramz-secure.rule=Host(`parker.ramz.cc`)"

stacks/registry/docker-compose.yml

@@ -3,25 +3,45 @@ services:
     image: registry:2
     container_name: registry
     restart: unless-stopped
-    volumes:
-      - ./data:/var/lib/registry
-      - ./auth:/auth
-    environment:
-      REGISTRY_AUTH: htpasswd
-      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
-      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
-      REGISTRY_HTTP_SECRET: ${REGISTRY_HTTP_SECRET}
     expose:
-      - 5000
+      - "5000"
+    volumes:
+      - ./docker:/var/lib/registry
     networks:
       - web
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "localhost:5000/v2/"]
+      interval: 60s
+      timeout: 10s
     labels:
+      - "com.ghost.tel/stack-type=prod"
       - "traefik.enable=true"
       - "traefik.http.routers.registry.entrypoints=https"
       - "traefik.http.routers.registry.rule=Host(`registry.${DOMAIN}`)"
       - "traefik.http.routers.registry.tls.certresolver=http"
       - "traefik.http.services.registry.loadbalancer.server.port=5000"
 
+  registry-ui:
+    image: quiq/docker-registry-ui:latest
+    container_name: registry-ui
+    restart: unless-stopped
+    expose:
+      - "8000"
+    volumes:
+      - ./registry-ui:/opt/data
+      - ./registry-ui.yml:/opt/config.yml:ro
+    depends_on:
+      registry:
+        condition: service_healthy
+    networks:
+      - web
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.registry-ui.entrypoints=https"
+      - "traefik.http.routers.registry-ui.rule=Host(`dockerhub.${DOMAIN}`)"
+      - "traefik.http.routers.registry-ui.tls.certresolver=http"
+      - "traefik.http.services.registry-ui.loadbalancer.server.port=8000"
+
 networks:
   web:
     external: true

stacks/rsshub-public/docker-compose.yml

@@ -0,0 +1,22 @@
+services:
+  rsshub:
+    image: diygod/rsshub:latest
+    container_name: rsshub
+    restart: unless-stopped
+    labels:
+      - "com.ghost.tel/stack-type=public"
+      - "traefik.enable=true"
+      - "traefik.http.routers.rsshub.entrypoints=https"
+      - "traefik.http.routers.rsshub.rule=Host(`rsshub.uplink.tel`)"
+      - "traefik.http.routers.rsshub.tls.certresolver=http"
+      - "traefik.http.services.rsshub.loadbalancer.server.port=1200"
+    environment:
+      - CACHE_EXPIRE=3600
+    expose:
+      - "1200"
+    networks:
+      - web
+
+networks:
+  web:
+    external: true

stacks/searx-public/docker-compose.yml

@@ -0,0 +1,54 @@
+services:
+  redis:
+    image: redis:alpine
+    container_name: searx-redis
+    restart: unless-stopped
+    command: redis-server --save "" --appendonly "no"
+    tmpfs:
+      - /var/lib/redis
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE
+    networks:
+      - default
+
+  searxng:
+    image: searxng/searxng:latest
+    container_name: searxng
+    restart: unless-stopped
+    labels:
+      - "com.ghost.tel/stack-type=public"
+      - "traefik.enable=true"
+      - "traefik.http.routers.searx.entrypoints=https"
+      - "traefik.http.routers.searx.rule=Host(`searx.uplink.tel`)"
+      - "traefik.http.routers.searx.tls.certresolver=http"
+      - "traefik.http.services.searx.loadbalancer.server.port=8080"
+    environment:
+      - SEARXNG_BASE_URL=https://searx.uplink.tel/
+    volumes:
+      - ./config:/etc/searxng:rw
+    expose:
+      - "8080"
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1m"
+        max-file: "1"
+    depends_on:
+      - redis
+    networks:
+      - web
+      - default
+
+networks:
+  web:
+    external: true

stacks/service-map/docker-compose.yml

@@ -0,0 +1,24 @@
+services:
+  service-map:
+    build: .
+    container_name: service-map
+    restart: unless-stopped
+    labels:
+      - "com.ghost.tel/stack-type=dev-only"
+      - "traefik.enable=true"
+      - "traefik.http.routers.service-map.rule=Host(`map.ghost.tel`)"
+      - "traefik.http.routers.service-map.entrypoints=https"
+      - "traefik.http.routers.service-map.tls.certresolver=http"
+      - "traefik.http.routers.service-map.middlewares=dashboard-auth@docker"
+      - "traefik.http.services.service-map.loadbalancer.server.port=3000"
+    environment:
+      - HOSTS=ubuntu-dev,ubuntu-prod
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ~/.ssh:/root/.ssh:ro
+    networks:
+      - web
+
+networks:
+  web:
+    external: true

stacks/smokeping/docker-compose.yml

@@ -15,11 +15,12 @@ services:
     networks:
       - web
     labels:
+      - "com.ghost.tel/stack-type=prod"
       - "org.opencontainers.image.source=https://gitea.ghost.tel/knight/docker-stacks"
       - "com.centurylinklabs.watchtower.enable=true"
       - "traefik.enable=true"
       - "traefik.http.routers.smokeping.entrypoints=https"
-      - "traefik.http.routers.smokeping.rule=Host(`smokeping.${DOMAIN}`)"
+      - "traefik.http.routers.smokeping.rule=Host(`smoke.${DOMAIN}`)"
       - "traefik.http.routers.smokeping.tls.certresolver=http"
       - "traefik.http.services.smokeping.loadbalancer.server.port=80"
 

stacks/snowflake/docker-compose.yml

@@ -1,15 +1,11 @@
 services:
-    snowflake-proxy:
+  snowflake-proxy:
-        network_mode: host
+    network_mode: host
-        image: containers.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake:latest
+    image: containers.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake:latest
-        container_name: snowflake-proxy
+    container_name: snowflake-proxy
-        restart: unless-stopped
+    restart: unless-stopped
-        # For a full list of Snowflake Proxy CLI parameters see
+    labels:
-        # https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/tree/main/proxy?ref_type=heads#running-a-standalone-snowflake-proxy
+      - "com.ghost.tel/stack-type=public"
-        #command: [ "-ephemeral-ports-range", "30000:60000" ]
+    # For a full list of Snowflake Proxy CLI parameters see
-    watchtower:
+    # https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/tree/main/proxy?ref_type=heads#running-a-standalone-snowflake-proxy
-        image: containrrr/watchtower
+    #command: [ "-ephemeral-ports-range", "30000:60000" ]
-        container_name: watchtower
-        volumes:
-          - /var/run/docker.sock:/var/run/docker.sock
-        command: snowflake-proxy

stacks/syncthing/docker-compose.yml

@@ -19,6 +19,7 @@ services:
     networks:
       - web
     labels:
+      - "com.ghost.tel/stack-type=dev-only"
       - "traefik.enable=true"
       - "traefik.http.routers.syncthing.entrypoints=https"
       - "traefik.http.routers.syncthing.rule=Host(`syncthing.${DOMAIN}`)"

stacks/szurubooru/docker-compose.yml

@@ -3,9 +3,10 @@
 ## Use this as a template to set up docker compose, or as guide to set up other
 ## orchestration services
 services:
-
   server:
     image: szurubooru/server:latest
+    labels:
+      - "com.ghost.tel/stack-type=dev-only"
     depends_on:
       - sql
     environment:

stacks/traefik/conf.d/middlewares.yaml

@@ -1,61 +0,0 @@
-# Core middlewares for traefik
-# External service routers should be added as separate files or via docker labels
-
-http:
-  routers:
-    # Redirect HTTP to HTTPS
-    https-redirect:
-      entryPoints:
-        - http
-      rule: "HostRegexp(`{host:.+}`)"
-      service: noop@internal
-      middlewares:
-        - redirect-to-https
-      priority: 1
-
-  middlewares:
-    # HTTPS redirect
-    redirect-to-https:
-      redirectScheme:
-        scheme: https
-
-    # Authentik forward auth - update URL after authentik is deployed
-    auth:
-      forwardAuth:
-        address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
-        trustForwardHeader: true
-        authResponseHeaders:
-          - X-authentik-username
-          - X-authentik-groups
-          - X-authentik-email
-          - X-authentik-name
-          - X-authentik-uid
-          - X-authentik-jwt
-          - X-authentik-meta-jwks
-          - X-authentik-meta-outpost
-          - X-authentik-meta-provider
-          - X-authentik-meta-app
-          - X-authentik-meta-version
-
-    # Security headers
-    securityHeaders:
-      headers:
-        customResponseHeaders:
-          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
-          server: ""
-          X-Forwarded-Proto: "https"
-        sslProxyHeaders:
-          X-Forwarded-Proto: https
-        referrerPolicy: "same-origin"
-        hostsProxyHeaders:
-          - "X-Forwarded-Host"
-        contentTypeNosniff: true
-        browserXssFilter: true
-        forceSTSHeader: true
-        stsIncludeSubdomains: true
-        stsSeconds: 63072000
-        stsPreload: true
-
-    # Gzip compression
-    gzip:
-      compress: {}

stacks/traefik/docker-compose.yml

@@ -5,6 +5,137 @@ services:
     restart: unless-stopped
     security_opt:
       - no-new-privileges:true
+    labels:
+      - "com.ghost.tel/stack-type=prod"
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.entrypoints=https"
+      - "traefik.http.routers.traefik.rule=Host(`traefik.ghost.tel`)"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.routers.traefik.middlewares=auth@docker"
+      - "traefik.http.routers.traefik.tls.certresolver=http"
+      - "traefik.http.routers.immich-redirect.entrypoints=http,https"
+      - "traefik.http.routers.immich-redirect.rule=Host(`immich.ghost.tel`)"
+      - "traefik.http.routers.immich-redirect.service=dummy"
+      - "traefik.http.routers.immich-redirect.middlewares=redirect-immich-to-photos@docker"
+      - "traefik.http.routers.immich-redirect.tls.certresolver=http"
+      - "traefik.http.routers.homeassist.entrypoints=https"
+      - "traefik.http.routers.homeassist.rule=Host(`home.ghost.tel`)"
+      - "traefik.http.routers.homeassist.service=homeassistant"
+      - "traefik.http.routers.homeassist.middlewares=securityHeaders@docker"
+      - "traefik.http.routers.homeassist.tls.certresolver=http"
+      - "traefik.http.routers.dynmap.entrypoints=http,https"
+      - "traefik.http.routers.dynmap.rule=Host(`dynmap.ghost.tel`)"
+      - "traefik.http.routers.dynmap.service=dynmap"
+      - "traefik.http.routers.dynmap.tls.certresolver=http"
+      - "traefik.http.routers.amp.entrypoints=http"
+      - "traefik.http.routers.amp.rule=Host(`amped.ghost.tel`)"
+      - "traefik.http.routers.amp.service=amp"
+      - "traefik.http.routers.amp.tls.certresolver=http"
+      - "traefik.http.routers.picam.entrypoints=http,https"
+      - "traefik.http.routers.picam.rule=Host(`printview.ghost.tel`)"
+      - "traefik.http.routers.picam.service=picam"
+      - "traefik.http.routers.picam.tls.certresolver=http"
+      - "traefik.http.routers.library.entrypoints=http,https"
+      - "traefik.http.routers.library.rule=Host(`library.ghost.tel`)"
+      - "traefik.http.routers.library.service=library"
+      - "traefik.http.routers.library.middlewares=securityHeaders@docker"
+      - "traefik.http.routers.library.tls.certresolver=http"
+      - "traefik.http.routers.meshmon.entrypoints=http,https"
+      - "traefik.http.routers.meshmon.rule=Host(`meshmon.ghost.tel`)"
+      - "traefik.http.routers.meshmon.service=meshmon"
+      - "traefik.http.routers.meshmon.middlewares=securityHeaders@docker"
+      - "traefik.http.routers.meshmon.tls.certresolver=http"
+      - "traefik.http.routers.skeyta.entrypoints=http,https"
+      - "traefik.http.routers.skeyta.rule=Host(`skeyta.ghost.tel`)"
+      - "traefik.http.routers.skeyta.service=skeyta"
+      - "traefik.http.routers.skeyta.middlewares=securityHeaders@docker"
+      - "traefik.http.routers.skeyta.tls.certresolver=http"
+      - "traefik.http.routers.radio.entrypoints=http,https"
+      - "traefik.http.routers.radio.rule=Host(`radio.uplink.tel`)"
+      - "traefik.http.routers.radio.service=radio-wunder"
+      - "traefik.http.routers.radio.middlewares=securityHeaders@docker"
+      - "traefik.http.routers.radio.tls.certresolver=http"
+      - "traefik.http.routers.sdr.entrypoints=http,https"
+      - "traefik.http.routers.sdr.rule=Host(`sdr.uplink.tel`)"
+      - "traefik.http.routers.sdr.service=sdr"
+      - "traefik.http.routers.sdr.middlewares=redirect-to-https"
+      - "traefik.http.routers.sdr.tls.certresolver=http"
+      - "traefik.http.routers.spider.entrypoints=http,https"
+      - "traefik.http.routers.spider.rule=Host(`spider.ghost.tel`)"
+      - "traefik.http.routers.spider.service=spider"
+      - "traefik.http.routers.spider.middlewares=securityHeaders@docker"
+      - "traefik.http.routers.spider.tls.certresolver=http"
+      - "traefik.http.routers.tlc.entrypoints=http,https"
+      - "traefik.http.routers.tlc.rule=Host(`tlc.ghost.tel`) || Host(`thislittlecorner.net`)"
+      - "traefik.http.routers.tlc.service=tlc"
+      - "traefik.http.routers.tlc.middlewares=securityHeaders@docker"
+      - "traefik.http.routers.tlc.tls.certresolver=http"
+      - "traefik.http.routers.photos.entrypoints=http,https"
+      - "traefik.http.routers.photos.rule=Host(`photos.ghost.tel`)"
+      - "traefik.http.routers.photos.service=wille"
+      - "traefik.http.routers.photos.middlewares=securityHeaders@docker"
+      - "traefik.http.routers.photos.tls.certresolver=http"
+      - "traefik.http.routers.invidious-uplink.entrypoints=https"
+      - "traefik.http.routers.invidious-uplink.rule=Host(`invidious.uplink.tel`)"
+      - "traefik.http.routers.invidious-uplink.service=docker-public"
+      - "traefik.http.routers.invidious-uplink.tls.certresolver=http"
+      - "traefik.http.routers.service-map.entrypoints=https"
+      - "traefik.http.routers.service-map.rule=Host(`map.ghost.tel`)"
+      - "traefik.http.routers.service-map.service=service-map"
+      - "traefik.http.routers.service-map.middlewares=dashboard-auth@docker"
+      - "traefik.http.routers.service-map.tls.certresolver=http"
+      - "traefik.http.services.dummy.loadbalancer.server.url=http://127.0.0.1"
+      - "traefik.http.services.homeassistant.loadbalancer.server.url=http://homeassistant.localdomain:8123"
+      - "traefik.http.services.homeassistant.loadbalancer.passHostHeader=true"
+      - "traefik.http.services.dynmap.loadbalancer.server.url=http://ramiel:8123/"
+      - "traefik.http.services.amp.loadbalancer.server.url=http://192.168.1.205:8080"
+      - "traefik.http.services.amp.loadbalancer.passHostHeader=true"
+      - "traefik.http.services.picam.loadbalancer.server.url=http://192.168.1.80:8080"
+      - "traefik.http.services.picam.loadbalancer.passHostHeader=true"
+      - "traefik.http.services.library.loadbalancer.server.url=http://docker-dev:8033/"
+      - "traefik.http.services.library.loadbalancer.passHostHeader=true"
+      - "traefik.http.services.meshmon.loadbalancer.server.url=http://ubuntu-dev:8383/"
+      - "traefik.http.services.meshmon.loadbalancer.passHostHeader=true"
+      - "traefik.http.services.skeyta.loadbalancer.server.url=http://ramiel.localdomain:8"
+      - "traefik.http.services.skeyta.loadbalancer.passHostHeader=true"
+      - "traefik.http.services.radio-wunder.loadbalancer.server.url=http://wunder.localdomain:3000"
+      - "traefik.http.services.sdr.loadbalancer.server.url=http://wunder.localdomain:8073"
+      - "traefik.http.services.sdr.loadbalancer.passHostHeader=true"
+      - "traefik.http.services.radio-wunder.loadbalancer.passHostHeader=true"
+      - "traefik.http.services.spider.loadbalancer.server.url=http://melchior.localdomain:30870"
+      - "traefik.http.services.spider.loadbalancer.passHostHeader=true"
+      - "traefik.http.services.tlc.loadbalancer.passHostHeader=true"
+      - "traefik.http.services.tlc.loadbalancer.server.url=http://ubuntu-dev.localdomain:8088"
+      - "traefik.http.services.wille.loadbalancer.server.url=http://wille.localdomain:2283"
+      - "traefik.http.services.wille.loadbalancer.passHostHeader=true"
+      - "traefik.http.services.service-map.loadbalancer.server.url=http://docker-dev:3333/"
+      - "traefik.http.services.service-map.loadbalancer.passHostHeader=true"
+      - "traefik.http.services.docker-public.loadbalancer.server.url=https://192.168.5.46:443"
+      - "traefik.http.services.docker-public.loadbalancer.passHostHeader=true"
+      - "traefik.http.services.docker-public.loadbalancer.serversTransport=insecure-transport"
+      - "traefik.http.serversTransports.insecure-transport.insecureSkipVerify=true"
+      - "traefik.http.middlewares.redirect-immich-to-photos.redirectregex.regex=^https?://immich\\.ghost\\.tel(/.*)?$"
+      - "traefik.http.middlewares.redirect-immich-to-photos.redirectregex.replacement=https://photos.ghost.tel$1"
+      - "traefik.http.middlewares.redirect-immich-to-photos.redirectregex.permanent=true"
+      - "traefik.http.middlewares.dashboard-auth.basicauth.usersfile=/basicAuth"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.auth.forwardauth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
+      - "traefik.http.middlewares.auth.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.auth.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
+      - "traefik.http.middlewares.securityHeaders.headers.customResponseHeaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex"
+      - "traefik.http.middlewares.securityHeaders.headers.customResponseHeaders.server="
+      - "traefik.http.middlewares.securityHeaders.headers.customResponseHeaders.X-Forwarded-Proto=https"
+      - "traefik.http.middlewares.securityHeaders.headers.sslProxyHeaders.X-Forwarded-Proto=https"
+      - "traefik.http.middlewares.securityHeaders.headers.referrerPolicy=same-origin"
+      - "traefik.http.middlewares.securityHeaders.headers.hostsProxyHeaders=X-Forwarded-Host"
+      - "traefik.http.middlewares.securityHeaders.headers.contentTypeNosniff=true"
+      - "traefik.http.middlewares.securityHeaders.headers.browserXssFilter=true"
+      - "traefik.http.middlewares.securityHeaders.headers.forceSTSHeader=true"
+      - "traefik.http.middlewares.securityHeaders.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.securityHeaders.headers.stsSeconds=63072000"
+      - "traefik.http.middlewares.securityHeaders.headers.stsPreload=true"
+      - "traefik.http.middlewares.invid-companion-prefix.addprefix.prefix=/companion"
+      - "traefik.http.middlewares.gzip.compress=true"
     networks:
       - web
     ports:
@@ -17,7 +148,7 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./traefik.yml:/traefik.yml:ro
       - ./acme.json:/acme.json
-      - ./conf.d/:/conf.d/
+      - ./basicAuth:/basicAuth:ro
       - /var/log:/var/log
 
 networks:

stacks/traefik/traefik.yml

@@ -8,14 +8,20 @@ api:
 entryPoints:
   http:
     address: ":80"
+    proxyProtocol:
+      insecure: true
+    http:
+      redirections:
+        entryPoint:
+          to: https
+          scheme: https
   https:
     address: ":443"
+    proxyProtocol:
+      insecure: true
 
 providers:
   providersThrottleDuration: 2s
-  file:
-    directory: "/conf.d"
-    watch: true
   docker:
     watch: true
     endpoint: "unix:///var/run/docker.sock"
@@ -38,3 +44,22 @@ log:
 accessLog:
   filePath: /var/log/traefik_access.log
   format: json
+  fields:
+    defaultMode: keep
+    names:
+      clientUsername: drop
+    headers:
+      defaultMode: keep
+      names:
+        User-Agent: keep
+        Authorization: drop
+        Content-Type: keep
+        Referer: keep
+
+metrics:
+  prometheus:
+    buckets:
+      - 0.1
+      - 0.3
+      - 1.2
+      - 5.0

stacks/wallabag/docker-compose.yml

@@ -25,6 +25,7 @@ services:
     volumes:
       - ./images:/var/www/wallabag/web/assets/images
     labels:
+      - "com.ghost.tel/stack-type=prod"
       - "traefik.enable=true"
       - "traefik.http.routers.wallabag.entrypoints=https"
       - "traefik.http.routers.wallabag.rule=Host(`wallabag.${DOMAIN}`)"

stacks/watchtower/docker-compose.yml

@@ -3,6 +3,8 @@ services:
     image: containrrr/watchtower:latest
     container_name: watchtower
     restart: unless-stopped
+    labels:
+      - "com.ghost.tel/stack-type=prod"
     environment:
       - TZ=America/New_York
       - DOCKER_API_VERSION=1.44

stacks/wikijs-public/.env.template

@@ -0,0 +1 @@
+WIKIJS_DB_PASSWORD=changeme

stacks/wikijs-public/docker-compose.yml

@@ -0,0 +1,45 @@
+services:
+  db:
+    image: postgres:11-alpine
+    container_name: wikijs-db
+    restart: unless-stopped
+    labels:
+      - "com.ghost.tel/stack-type=public"
+    environment:
+      POSTGRES_DB: wiki
+      POSTGRES_USER: wikijs
+      POSTGRES_PASSWORD: ${WIKIJS_DB_PASSWORD}
+    volumes:
+      - ./db-data:/var/lib/postgresql/data
+    logging:
+      driver: "none"
+
+  wiki:
+    image: requarks/wiki:2
+    container_name: wikijs
+    restart: unless-stopped
+    labels:
+      - "com.ghost.tel/stack-type=public"
+      - "traefik.enable=true"
+      - "traefik.http.routers.wikijs.entrypoints=https"
+      - "traefik.http.routers.wikijs.rule=Host(`wiki.sequela.tel`)"
+      - "traefik.http.routers.wikijs.tls.certresolver=http"
+      - "traefik.http.services.wikijs.loadbalancer.server.port=3000"
+    environment:
+      DB_TYPE: postgres
+      DB_HOST: db
+      DB_PORT: 5432
+      DB_USER: wikijs
+      DB_PASS: ${WIKIJS_DB_PASSWORD}
+      DB_NAME: wiki
+    expose:
+      - "3000"
+    depends_on:
+      - db
+    networks:
+      - web
+      - default
+
+networks:
+  web:
+    external: true

stacks/xbackbone/docker-compose.yml

@@ -14,6 +14,7 @@ services:
     networks:
       - web
     labels:
+      - "com.ghost.tel/stack-type=prod"
       - "traefik.enable=true"
       - "traefik.http.routers.xbackbone.entrypoints=https"
       - "traefik.http.routers.xbackbone.rule=Host(`xb.${DOMAIN}`)"

stacks/zerotier/docker-compose.yml

@@ -4,7 +4,7 @@ services:
     container_name: zerotier-ui
     restart: always
     expose:
-      - 3180
+      - 3000
     volumes:
       - ./ztncui:/opt/key-networks/ztncui/etc
       - ./zt1:/var/lib/zerotier-one
@@ -13,11 +13,13 @@ services:
     networks:
       - web
     labels:
+      - "com.ghost.tel/stack-type=prod"
       - "traefik.enable=true"
       - "traefik.http.routers.zerotier.entrypoints=https"
       - "traefik.http.routers.zerotier.rule=Host(`zerotierui.${DOMAIN}`)"
       - "traefik.http.routers.zerotier.tls.certresolver=http"
-      - "traefik.http.routers.zerotier.middlewares=dashboard-auth@file"
+      - "traefik.http.routers.zerotier.middlewares=dashboard-auth@docker"
+      - "traefik.http.services.zerotier.loadbalancer.server.port=3000"
 
 networks:
   web: