adding plex and swarm compose files.

2025-03-11 20:58:04 -04:00
parent 8939b93e7f
commit ba6b6d1d3d
15 changed files with 861 additions and 0 deletions
@@ -0,0 +1,47 @@
+---
+networks:
+  traefik-public:
+    driver: bridge
+    attachable: true
+    name: traefik-public
+
+services:
+  code-server:
+    image: lscr.io/linuxserver/code-server:latest
+    container_name: code-server
+
+    environment:
+      - PUID=1024
+      - PGID=100
+      - TZ=America/New_York
+      #- PASSWORD=password #optional
+      #- HASHED_PASSWORD= #optional
+      #- SUDO_PASSWORD=password #optional
+      #- SUDO_PASSWORD_HASH= #optional
+      #- PROXY_DOMAIN=code-server.my.domain #optional
+      #- DEFAULT_WORKSPACE=/config/workspace #optional
+    volumes:
+      - /docker_data/code-server/config:/config
+      - /docker_data:/docker-data
+      - /mnt/glusterfs/vol01:/gluster-data
+    ports:
+      - 8443:8443
+    restart: unless-stopped
+    networks:
+      - traefik-public
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.code-server.rule=Host(`code-server.gotmylab.com`)"
+      - 'traefik.http.routers.code-server.tls=true'
+      - "traefik.http.routers.code-server.entrypoints=websecured"
+      - "traefik.http.routers.code-server.tls.certresolver=le_pvt"
+      - "traefik.docker.network=traefik-public"
+      - "traefik.http.routers.code-server.service=code-server"
+      # Admin
+      #- "traefik.http.routers.code-server.middlewares=code-server-admin@docker"
+      #- "traefik.http.middlewares.code-server-admin.addprefix.prefix=/admin"
+      # HTTP
+      - "traefik.http.routers.code-server_http.entrypoints=web"
+      - "traefik.http.routers.code-server_http.rule=code-server.gotmylab.com"
+      - "traefik.http.routers.code-server_http.middlewares=redirect-to-https"
+      - "traefik.http.services.code-server.loadBalancer.server.port=8443"
@@ -0,0 +1,40 @@
+version: '3.3'
+
+volumes:
+  kuma_data:
+     external: true
+     
+networks:
+  traefik-public:
+    driver: bridge
+    attachable: true
+    name: traefik-public
+    
+services:
+  uptime-kuma:
+    image: louislam/uptime-kuma:1
+    container_name: uptime-kuma
+    volumes:
+      - /mnt/glusterfs/vol01/kuma:/app/data
+    networks:
+      - traefik-public
+    dns:
+      - 10.10.1.4
+      - 10.10.3.4
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.kuma.rule=Host(`kuma.gotmylab.com`)"
+      - 'traefik.http.routers.kuma.tls=true'
+      - "traefik.http.routers.kuma.entrypoints=websecured"
+      - "traefik.http.routers.kuma.tls.certresolver=le_pvt"
+      - "traefik.docker.network=traefik-public"
+      - "traefik.http.routers.kuma.service=kuma"
+      # HTTP
+      #- "traefik.http.routers.kuma_http.entrypoints=web"
+      #- "traefik.http.routers.kuma_http.rule=kuma.gotmylab.com"
+      - "traefik.http.routers.kuma_http.middlewares=redirect-to-https"
+      - "traefik.http.services.kuma.loadBalancer.server.port=3001"
+      #- "traefik.http.services.kuma.loadbalancer.server.scheme=https"
+      #- "traefik.http.services.kuma.loadbalancer.passhostheader=true"
+      #- "traefik.http.middlewares.kuma.redirectscheme.scheme=https"
@@ -0,0 +1,78 @@
+---
+version: "3.7"
+
+volumes:
+  plex_config:
+
+services:
+  plex:
+    image: lscr.io/linuxserver/plex:latest
+    container_name: plex
+   # networks: 
+    #   - plex_macvlan
+    ports:
+      - "32400:32400/tcp"
+      - "3005:3005/tcp"
+      - "8324:8324/tcp"
+      - "32469:32469/tcp"
+      - "1900:1900/udp"
+      - "32410:32410/udp"
+      - "32412:32412/udp"
+      - "32413:32413/udp"
+      - "32414:32414/udp"
+    #runtime: nvidia
+    environment:
+      - PUID=988
+      - PGID=977
+      - TZ=America/New_York
+      - VERSION=docker
+      - PLEX_CLAIM=claim-3ESbFfP17iDSuwAvgSsN
+      - ADVERTISE_IP=http://$SERVER_IP:32400/
+      - ALLOWED_NETWORKS=$LOCAL_NETWORK
+      - HOSTNAME="plex"
+      #- NVIDIA_VISIBLE_DEVICES=all
+      #- NVIDIA_DRIVER_CAPABILITIES=compute,video,utility
+    volumes:
+      - /etc/localtime:/etc/localtime:ro # Sync the container's time to the host's time
+
+      - /home/frank/plex:/config
+      - /media/share/TV:/tv
+      - /media/share/Movies:/movies
+      - /media/share/Music:/music
+      - /media/share/Audiobooks:/books
+      - /home/frank/ramdisk:/transcode
+      # - '/dev/dri/:/dev/dri/'
+      #- /dev/dri/card0:/dev/dri/card0
+      # - /dev/shm:/transcode
+    network_mode: host
+    # deploy:
+    #   resources:
+    #     reservations:
+    #       devices:
+    #         - capabilities: [gpu]
+    devices:
+      - '/dev/dri:/dev/dri'
+      #- /dev/dri/renderD128:/dev/dri/renderD128
+      #- /dev/dri/card0:/dev/dri/card0
+    restart: unless-stopped
+    labels:
+      - "docker-volume-backup.stop-during-backup=plex"
+
+  backup:
+    image: offen/docker-volume-backup:latest
+    environment:
+      BACKUP_STOP_DURING_BACKUP_LABEL: plex
+      BACKUP_FILENAME: "plex-%Y-%m-%dT%H-%M-%S.{{ .Extension }}"
+      BACKUP_PRUNING_PREFIX: plex-
+      BACKUP_RETENTION_DAYS: 7
+      BACKUP_CRON_EXPRESSION: "*/1 * * * *"
+    volumes:
+      - /home/frank/plex:/backup/plex_config:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /docker_volume_backup/plex:/archive
+      - /home/frank/tmp:/tmp
+    
+#networks:
+#  plex_macvlan:
+#    driver: macvlan
+#    external: true
@@ -0,0 +1,32 @@
+version: "3.4"
+
+services:
+  tdarr-node:
+    container_name: tdarr-node
+    image: ghcr.io/haveagitgat/tdarr_node:latest
+    restart: unless-stopped
+    network_mode: bridge
+    environment:
+      - TZ=America/New_York
+      - PUID=988
+      - PGID=977
+      - UMASK_SET=002
+      - nodeName=desktop
+      - nodeID=desktop
+      - serverIP=10.10.3.70
+      - serverPort=8266
+      # - NVIDIA_DRIVER_CAPABILITIES=all
+      # - NVIDIA_VISIBLE_DEVICES=all
+    volumes:
+      - /docker_data/tdarr/configs/desktop:/app/configs
+      - /docker_data/tdarr/logs:/app/logs
+      - /media/share:/media
+      - /home/frank/ramdisk/tdarr:/temp
+    devices:
+      - '/dev/dri:/dev/dri'
+      # - "/dev/dri/card0:/dev/dri/card0"
+    # deploy:
+    #   resources:
+    #     reservations:
+    #       devices:
+    #       - capabilities: [gpu, video, compute, utility]
@@ -0,0 +1,115 @@
+version: '3.9'
+
+networks:
+  traefik-public:
+    driver: bridge
+    attachable: true
+    name: traefik-public
+
+volumes:
+  ca_certs:
+    external: true
+
+services:
+  traefik:
+    image: traefik:latest
+    container_name: traefik
+    restart: unless-stopped
+    user: "977:988"
+    ports:
+      - "80:80"
+      - "443:443"
+    networks:
+      - traefik-public
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ca_certs:/certs
+      - /etc/resolv.conf:/etc/resolv.conf
+      - /docker_data/traefik_data/dynamic_services/:/dynamic
+      #- /mnt/glusterfs/vol01/traefik_data/rules.yml:/etc/traefik/rules.yml
+      - /home/frank/traefik-standalone.yml:/etc/traefik/traefik.yml:ro
+    #command:
+      #- --api.insecure=true
+      #- --api
+      #- --api.dashboard=true
+      #- --serversTransport.insecureSkipVerify=true
+      #- "--providers.file.filename=rules.yml"
+      #- "--providers.file.directory=/etc/traefik"
+      #- "--providers.file.watch=true"
+      #- --api.debug=true
+      #- --providers.docker=true
+      #- --providers.docker.swarmMode=true
+      #- --providers.docker.network=traefik-public
+      #- --providers.docker.exposedByDefault=true
+      #- "--providers.docker.defaultRule=Host(`{{ normalize .Name }}.gotmylab.com`)"
+      #- --entrypoints.web.address=:80
+      #- --entrypoints.websecured.address=:443
+      #- --log.level=DEBUG
+      #- --entrypoints.web.http.redirections.entryPoint.to=websecured
+      #- --entrypoints.web.http.redirections.entryPoint.scheme=https
+      # LE_PVT = Resolver for services with private dns records
+      #- "--certificatesresolvers.le_pvt.acme.dnschallenge=true"
+      #- "--certificatesresolvers.le_pvt.acme.httpChallenge=false"
+      #- "--certificatesresolvers.le_pvt.acme.tlsChallenge=false"
+      #- "--certificatesresolvers.le_pvt.acme.dnschallenge.provider=cloudflare"
+      #- "--certificatesresolvers.le_pvt.acme.email=letsencrypt@gotmylab.com"
+      #- "--certificatesresolvers.le_pvt.acme.storage=/certs/prod/pvt/acme.json"
+      #- "--certificatesresolvers.le_pvt.acme.httpChallenge.entryPoint=web"
+      # LE_PUB: Resolver with public dns records
+      #- "--certificatesresolvers.le_pub.acme.dnschallenge=false"
+      #- "--certificatesresolvers.le_pub.acme.httpChallenge=false"
+      #- "--certificatesresolvers.le_pub.acme.tlsChallenge=true"
+      #- "--certificatesresolvers.le_pub.acme.dnschallenge.provider=cloudflare"
+      #- "--certificatesresolvers.le_pub.acme.email=letsencrypt@gotmylab.com"
+      #- "--certificatesresolvers.le_pub.acme.storage=/certs/prod/pub/acme.json"
+      #- "--certificatesresolvers.le_pub.acme.httpChallenge.entryPoint=web"
+      # STG: For testing services
+      #- "--certificatesresolvers.stg.acme.dnschallenge=true"
+      #- "--certificatesresolvers.stg.acme.httpChallenge=false"
+      #- "--certificatesresolvers.stg.acme.tlsChallenge=false"
+      #- "--certificatesresolvers.stg.acme.dnschallenge.provider=cloudflare"
+      #- "--certificatesresolvers.stg.acme.email=letsencrypt@gotmylab.com"
+      #- "--certificatesresolvers.stg.acme.storage=/certs/stg/acme.json"
+      #- "--certificatesresolvers.stg.acme.httpChallenge.entryPoint=web"
+      #- "--certificatesresolvers.stg.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+
+    environment:
+      - CLOUDFLARE_EMAIL=darkman738@gmail.com
+      - CLOUDFLARE_API_KEY=$CP_KEY
+      - PUID=977
+      - PGID=988
+
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.traefik.rule=Host(`traefik-2.gotmylab.com`)'
+      - 'traefik.http.routers.traefik.tls=true'
+      - 'traefik.http.routers.traefik.tls.certresolver=le_pvt'
+      - 'traefik.http.routers.traefik.service=api@internal'
+      - 'traefik.http.services.api.loadbalancer.server.port=8080'
+      - "traefik.docker.network=traefik-public"
+      #- "traefik.http.routers.api.middlewares=authentik@file"
+      #- 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify/?rd=https://authelia.gotmylab.com/'
+      #- 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
+      #- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
+
+      - 'traefik.http.routers.api.entrypoints=web'
+      - 'traefik.http.services.traefik.loadbalancer.server.port=80'
+
+      # TLS
+      - "traefik.http.routers.apis.rule=Host(`traefik-2.gotmylab.com`)"
+      - "traefik.http.routers.apis.entrypoints=websecured"
+      - "traefik.http.routers.apis.tls.certresolver=le_pvt"
+      
+      #- 'traefi.http.routers.api.service=api@internal'
+      #- 'traefik.http.routers.apis.service=api@internal'
+      #- 'traefik.http.routers.apis.middlewares=authelia'
+
+      # Redirect
+      #- "traefik.http.routers.api.middlewares=https_redirect"
+      #- "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
+
+    # Authelia
+      #- 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia.gotmylab.com/api/verify?rd=https://authelia.gotmylab.com'
+      #- 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
+      #- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name'
+      #- "traefik.http.routers.authelia.service=authelia"
@@ -0,0 +1,11 @@
+version: "3"
+services:
+  watchtower:
+    image: containrrr/watchtower
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      WATCHTOWER_REMOVE_VOLUMES: 'true'
+      WATCHTOWER_CLEANUP: 'true'
+      WATCHTOWER_INCLUDE_RESTARTING: 'true'
+    restart: unless-stopped
@@ -0,0 +1,132 @@
+version: "3.2"
+
+networks:
+  traefik-public:
+    external: true
+  cache:
+    external: true
+
+secrets:
+  authelia_jwt:
+    external: true
+  authelia_session:
+    external: true
+  zoho_smtp_pw:
+    external: true
+  authelia_storeage:
+    external: true
+  cache_pw:
+    external: true
+  authelia_hmac_secret:
+    external: true
+  authelia_cert_chain:
+    external: true
+  authelia_private_key:
+    external: true
+
+volumes:
+  cache:
+    driver: local
+    
+services:
+  mariadb:
+    container_name: mariadb
+    image: yobasystems/alpine-mariadb
+    #expose:
+    #  - 3306
+    volumes:
+      - /cephfs/mariadb:/config
+    environment:
+      MYSQL_ROOT_PASSWORD: ${MARIADB_ROOT_PW}
+      MYSQL_ROOT_USER: root
+      MYSQL_DATABASE: authelia
+      MYSQL_USER: authelia
+      MYSQL_PASSWORD: ${MARIADB_AUTHELIA_USER_PW}
+    networks:
+      - cache
+    restart: unless-stopped
+    
+  cache:
+    image: redis:6.2-alpine
+    restart: always
+    networks:
+      - cache
+    #expose:
+    #  - 6379
+    secrets:
+      - authelia_jwt
+      - authelia_session
+      - zoho_smtp_pw
+      - authelia_storeage
+      - authelia_hmac_secret
+      - authelia_cert_chain
+      - authelia_private_key
+    environment:
+      REDIS_PASSWORD_FILE: /run/secrets/cache_pw
+      AUTHELIA_JWT_SECRET_FILE: /run/secrets/authelia_jwt
+      AUTHELIA_SESSION_SECRET_FILE: /run/secrets/authelia_session
+      AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/zoho_smtp_pw
+      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/authelia_storeage
+      AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE: /run/secrets/authelia_hmac_secret
+      AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: /run/secrets/authelia_cert_chain
+      AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /run/secrets/authelia_private_key
+      AUTHELIA_SESSION_REDIS_PASSWORD: ${REDIS_PW}
+      AUTHELIA_STORAGE_MYSQL_PASSWORD: ${MARIADB_AUTHELIA_USER_PW}
+    command: redis-server --save 20 1 --loglevel warning --requirepass h0e9exMpZnebXsRcvXQTIbrAg3CeWXiYTgg6GRwsokyeLMWiqry23OM2uBXSyOxM
+    volumes: 
+      - /cephfs/cache:/data
+    
+     
+  authelia:
+    container_name: authelia
+    image: authelia/authelia
+    depends_on:
+      - cache
+      - mariadb
+    volumes:
+      - /docker_data/authelia:/config
+      - /ca_certs/ldap:/certs
+    networks:
+      - traefik-public
+      - cache
+    #ports:
+    #  - 9091:9091
+    secrets:
+      - authelia_jwt
+      - authelia_session
+      - zoho_smtp_pw
+      - authelia_storeage
+      - authelia_hmac_secret
+      - authelia_cert_chain
+      - authelia_private_key
+    environment:
+      TZ: 'America/New_York'
+      AUTHELIA_JWT_SECRET_FILE: /run/secrets/authelia_jwt
+      AUTHELIA_SESSION_SECRET_FILE: /run/secrets/authelia_session
+      AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/zoho_smtp_pw
+      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/authelia_storeage
+      AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE: /run/secrets/authelia_hmac_secret
+      AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: /run/secrets/authelia_cert_chain
+      AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /run/secrets/authelia_private_key
+      AUTHELIA_SESSION_REDIS_PASSWORD: ${REDIS_PW}
+      AUTHELIA_STORAGE_MYSQL_PASSWORD: ${MARIADB_AUTHELIA_USER_PW}
+
+    deploy:
+      labels:
+        - traefik.enable=true
+        - "traefik.docker.network=traefik-public"
+        - "traefik.http.routers.authelia.rule=Host(`authelia.gotmylab.com`)"
+        - 'traefik.http.routers.authelia.entrypoints=websecured'
+        - "traefik.http.services.authelia.loadbalancer.server.port=9091"
+        - "traefik.http.routers.authelia.tls.certresolver=le_pvt"
+        - 'traefik.http.routers.authelia.tls=true'
+
+        # Redirect
+        - "traefik.http.routers.authelia.middlewares=https_redirect"
+        - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
+
+        # Authelia
+        - 'traefik.http.middlewares.authelia.forwardauth.address=https://authelia.gotmylab.com/api/authz/forward-auth'
+        - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
+        - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name'
+        - "traefik.http.routers.authelia.service=authelia"
@@ -0,0 +1,19 @@
+version: "3.8"
+services:
+  cloudflared:
+    container_name: cloudflared-tunnel
+    image: cloudflare/cloudflared
+    restart: unless-stopped
+    command: tunnel --no-autoupdate run --token $TUNNEL_TOKEN $TUNNEL_ID
+    environment:
+      #- TUNNEL_TOKEN_FILE=/run/secrets/cloudflare_tunnel_token
+      - PUID=988
+      - PGID=977
+    networks:
+      - traefik-public
+    volumes:
+      - /docker_data/cloudflare:/home/nonroot/.cloudflared/
+
+networks:
+  traefik-public:
+    external: true
@@ -0,0 +1,40 @@
+version: "3.7"
+
+services:
+  gitea:
+    image: gitea/gitea:latest
+    volumes:
+      - /cephfs/gitea/:/data
+      #- /etc/localtime:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      - RUN_MODE=prod
+      - DOMAIN=gitea.gotmylab.com
+      - SSH_DOMAIN=gitea-ssh.gotmylab.com
+      - SSH_PORT=22
+      - SSH_LISTERN_PORT=22
+      - DISABLE_SSH=false
+      - HTTP_PORT=3000
+      - ROOT_URL=https://gitea.gotmylab.com
+      - LFS_START_SERVER=false
+      - DB_TYPE=sqlite3
+      - DISABLE_REGISTRATION=true
+    networks:
+      - traefik-public
+    dns:
+      - "1.1.1.1"
+      - "1.0.0.1"
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.gitea.rule=Host(`gitea.gotmylab.com`)"
+        - 'traefik.http.routers.gitea.tls=true'
+        - "traefik.http.routers.gitea.entrypoints=websecured"
+        - "traefik.http.routers.gitea.tls.certresolver=le_pvt"
+        - "traefik.http.services.gitea.loadbalancer.server.port=3000"
+        - "traefik.docker.network=traefik-public"
+        - 'traefik.http.routers.public.middlewares=authelia@docker'
+
+networks:
+  traefik-public:
+    external: true
@@ -0,0 +1,32 @@
+---
+version: "3.4"
+networks:
+  traefik-public:
+    external: true
+
+services:
+  magicmirror:
+    image: karsten13/magicmirror:alpine
+    container_name: magicmirror
+    environment:
+      - PUID=1024
+      - PGID=100
+      - TZ=America/New_York
+    volumes:
+      - /docker_data/magicmirror/config:/opt/magic_mirror/config
+      - /docker_data/magicmirror/modules:/opt/magic_mirror/modules
+      - /docker_data/magicmirror/css:/opt/magic_mirror/css
+      - /etc/localtime:/etc/localtime:ro
+    restart: unless-stopped
+    networks:
+      - traefik-public
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.magicmirror.rule=Host(`magicmirror.gotmylab.com`)"
+        - 'traefik.http.routers.magicmirror.tls=true'
+        - "traefik.http.routers.magicmirror.entrypoints=websecured"
+        - "traefik.http.routers.magicmirror.tls.certresolver=le_pvt"
+        - "traefik.http.services.magicmirror.loadbalancer.server.port=8080"
+        - "traefik.swarm.network=traefik-public"
+        #- 'traefik.http.routers.public.middlewares=authelia@docker'
@@ -0,0 +1,12 @@
+---
+services:
+  nebula-sync:
+    image: ghcr.io/lovelaze/nebula-sync:latest
+    container_name: nebula-sync
+    environment:
+    - PRIMARY=https://10.10.3.80|${PW}
+    - REPLICAS=https://10.10.3.81|${PW}
+    - FULL_SYNC=true
+    - RUN_GRAVITY=true
+    - CRON=*/1 * * * *
+    - CLIENT_SKIP_TLS_VERIFICATION=true
@@ -0,0 +1,22 @@
+version: '3.8'
+services:
+  portainer-backup:
+    container_name: portainer-backup
+    image: savagesoftware/portainer-backup:latest
+    hostname: portainer-backup
+    restart: unless-stopped
+    command: schedule
+    environment:
+      TZ: America/New_York
+      PORTAINER_BACKUP_URL: "http://10.10.1.34:9000"
+      PORTAINER_BACKUP_TOKEN: ${API_KEY}
+      PORTAINER_BACKUP_PASSWORD: ""
+      PORTAINER_BACKUP_OVERWRITE: 1
+      PORTAINER_BACKUP_SCHEDULE: "0 0 1 * * *"
+      PORTAINER_BACKUP_STACKS: 1
+      PORTAINER_BACKUP_DRYRUN: 0
+      PORTAINER_BACKUP_CONCISE: 1
+      PORTAINER_BACKUP_DIRECTORY: "/backup"
+      PORTAINER_BACKUP_FILENAME: "portainer-backup.tar.gz"
+    volumes:
+      - /docker_volume_backup/portainer:/backup
@@ -0,0 +1,79 @@
+version: "3.0"
+networks:
+  traefik-public:
+    external: true
+  db_network:
+    external: false
+    
+services:
+  # uncomment this section and comment out the mysql section to use postgres instead of mysql
+  #postgres:
+    #restart: unless-stopped
+    #image: postgres:14
+    #hostname: postgres
+    #volumes: 
+    #  - semaphore-postgres:/var/lib/postgresql/data
+    #environment:
+    #  POSTGRES_USER: semaphore
+    #  POSTGRES_PASSWORD: semaphore
+    #  POSTGRES_DB: semaphore
+  # if you wish to use postgres, comment the mysql service section below 
+  mysql:
+    restart: unless-stopped
+    image: mysql:8.0
+    hostname: mysql
+    networks:
+      - db_network
+    volumes:
+      - /docker_data/semaphore/db:/var/lib/mysql
+    environment:
+      MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
+      MYSQL_DATABASE: semaphore
+      MYSQL_USER: semaphore
+      MYSQL_PASSWORD: ${MYSQL_PASS}
+  semaphore:
+    restart: unless-stopped
+    image: semaphoreui/semaphore:latest
+    volumes:
+      - /docker_data/semaphore/playbooks:/playbooks
+    environment:
+      SEMAPHORE_DB_USER: semaphore
+      SEMAPHORE_DB_PASS: ${MYSQL_PASS}
+      SEMAPHORE_DB_HOST: mysql # for postgres, change to: postgres
+      SEMAPHORE_DB_PORT: 3306 # change to 5432 for postgres
+      SEMAPHORE_DB_DIALECT: mysql # for postgres, change to: postgres
+      SEMAPHORE_DB: semaphore
+      SEMAPHORE_PLAYBOOK_PATH: /semaphore
+      SEMAPHORE_ADMIN_PASSWORD: ${ADMIN_PASS}
+      SEMAPHORE_ADMIN_NAME: admin
+      SEMAPHORE_ADMIN_EMAIL: frank@gotmylab.com
+      SEMAPHORE_ADMIN: admin
+      SEMAPHORE_ACCESS_KEY_ENCRYPTION: gs72mPntFATGJs9qK0pQ0rKtfidlexiMjYCH9gWKhTU=
+      SEMAPHORE_LDAP_ACTIVATED: 'no' # if you wish to use ldap, set to: 'yes' 
+      ANSIBLE_HOST_KEY_CHECKING: 'False'
+      #SEMAPHORE_LDAP_HOST: dc01.local.example.com
+      #SEMAPHORE_LDAP_PORT: '636'
+      #SEMAPHORE_LDAP_NEEDTLS: 'yes'
+      #SEMAPHORE_LDAP_DN_BIND: 'uid=bind_user,cn=users,cn=accounts,dc=local,dc=shiftsystems,dc=net'
+      #SEMAPHORE_LDAP_PASSWORD: 'ldap_bind_account_password'
+      #SEMAPHORE_LDAP_DN_SEARCH: 'dc=local,dc=example,dc=com'
+      #SEMAPHORE_LDAP_SEARCH_FILTER: "(\u0026(uid=%s)(memberOf=cn=ipausers,cn=groups,cn=accounts,dc=local,dc=example,dc=com))"
+    depends_on:
+      - mysql # for postgres, change to: postgres
+    networks:
+      - traefik-public
+      - db_network
+    dns:
+      - 10.10.3.4 #Use whatever DNS provider you want. This is Google.
+      - 10.10.1.4 #Use whatever DNS provider you want. This is Google.
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.semaphore.rule=Host(`semaphore.gotmylab.com`)"
+        - 'traefik.http.routers.semaphore.tls=true'
+        - "traefik.http.routers.semaphore.entrypoints=websecured"
+        - "traefik.http.routers.semaphore.tls.certresolver=le_pvt"
+        - "traefik.http.services.semaphore.loadbalancer.server.port=3000"
+        - "traefik.docker.network=traefik-public"
+        #- 'traefik.http.routers.readarr.middlewares=authelia'
+        - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"        
@@ -0,0 +1,50 @@
+version: "3.4"
+networks:
+  traefik-public:
+    external: true
+  # tdarr-backend:
+  #   external: true
+    
+services:
+  tdarr:
+    container_name: tdarr
+    image: ghcr.io/haveagitgat/tdarr:latest
+    restart: unless-stopped
+    networks:
+      # - tdarr-backend
+      - traefik-public
+    ports:
+      - 8265:8265 # webUI port
+      - 8266:8266 # server port
+      - 8267:8267 # Internal node port
+      - 8268:8268 # Example extra node port
+    environment:
+      - TZ=America/New_York
+      - PUID=977
+      - PGID=988
+      - UMASK_SET=002
+      #- serverIP=0.0.0.0
+      - serverPort=8266
+      - webUIPort=8265
+      - internalNode=false
+      - nodeName=tdarr
+    volumes:
+      - /docker_data/tdarr/server:/app/server
+      - /docker_data/tdarr/configs:/app/configs
+      - /docker_data/tdarr/logs:/app/logs
+      # - /media/share:/media
+      # - /cache:/temp
+      # - /dev/shm:/transcode
+    # devices:
+    #    - /dev/dri:/dev/dri 
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.tdarr.rule=Host(`tdarr.gotmylab.com`)"
+        - 'traefik.http.routers.tdarr.tls=true'
+        - "traefik.http.routers.tdarr.entrypoints=websecured"
+        - "traefik.http.routers.tdarr.tls.certresolver=le_pvt"
+        - "traefik.http.services.tdarr.loadbalancer.server.port=8265"
+        - "traefik.docker.network=traefik-public"
+        - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
+        #- 'traefik.http.routers.public.middlewares=authelia@docker'
@@ -0,0 +1,152 @@
+version: '3.6'
+
+networks:
+  traefik-public:
+    driver: overlay
+    attachable: true
+    name: traefik-public
+
+services:
+  traefik:
+    image: traefik:latest
+    user: "977:988"
+    ports:
+      - "80:80"
+      - "443:443"
+    networks:
+      - traefik-public
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /ca_certs:/certs
+      #- /etc/resolv.conf:/etc/resolv.conf
+      - /docker_data/traefik_data/dynamic_services/:/dynamic
+      - /docker_data/traefik_data/traefik.yml:/traefik.yml
+      #- /mnt/glusterfs/vol01/traefik_data/config.yml:/config.yml
+
+    #command:
+      #- --api.insecure=true
+      #- --api=true
+      #- --api.dashboard=true
+      #- '--pilot.dashboard=false'
+      #- '--global.sendAnonymousUsage=false'
+      #- '--global.checkNewVersion=false'
+      #- --serversTransport.insecureSkipVerify=true
+      #- "--providers.file.filename=rules.yml"
+      #- "--providers.file.directory=/etc/traefik"
+      #- "--providers.file.watch=true"
+      #- --api.debug=true
+      #- --providers.docker=true
+      #- --providers.docker.swarmMode=true
+      #- --providers.docker.network=traefik-public
+      #- --providers.docker.exposedByDefault=true
+      #- "--providers.docker.defaultRule=Host(`{{ normalize .Name }}.gotmylab.com`)"
+      #- --entrypoints.web.address=:80
+      #- --entrypoints.websecured.address=:443
+      #- --log.level=DEBUG
+      #- '--entryPoints.web.forwardedHeaders.insecure=false'
+      #- '--entryPoints.web.proxyProtocol.insecure=false'
+      #- '--entryPoints.websecured.forwardedHeaders.insecure=false'
+      #- '--entryPoints.websecured.proxyProtocol.insecure=false'
+      #- --entrypoints.web.http.redirections.entryPoint.to=websecured
+      #- --entrypoints.web.http.redirections.entryPoint.scheme=https
+      # LE_PVT = Resolver for services with private dns records
+      #- "--certificatesresolvers.le_pvt.acme.dnschallenge=true"
+      #- "--certificatesresolvers.le_pvt.acme.httpChallenge=false"
+      #- "--certificatesresolvers.le_pvt.acme.tlsChallenge=false"
+      #- "--certificatesresolvers.le_pvt.acme.dnschallenge.provider=cloudflare"
+      #- "--certificatesresolvers.le_pvt.acme.email=letsencrypt@gotmylab.com"
+      #- "--certificatesresolvers.le_pvt.acme.storage=/certs/prod/pvt/acme.json"
+      #- "--certificatesresolvers.le_pvt.acme.httpChallenge.entryPoint=web"
+      # LE_PUB: Resolver with public dns records
+      #- "--certificatesresolvers.le_pub.acme.dnschallenge=false"
+      #- "--certificatesresolvers.le_pub.acme.httpChallenge=false"
+      #- "--certificatesresolvers.le_pub.acme.tlsChallenge=true"
+      #- "--certificatesresolvers.le_pub.acme.dnschallenge.provider=cloudflare"
+      #- "--certificatesresolvers.le_pub.acme.email=letsencrypt@gotmylab.com"
+      #- "--certificatesresolvers.le_pub.acme.storage=/certs/prod/pub/acme.json"
+      #- "--certificatesresolvers.le_pub.acme.httpChallenge.entryPoint=web"
+      # STG: For testing services
+      #- "--certificatesresolvers.stg.acme.dnschallenge=true"
+      #- "--certificatesresolvers.stg.acme.httpChallenge=false"
+      #- "--certificatesresolvers.stg.acme.tlsChallenge=false"
+      #- "--certificatesresolvers.stg.acme.dnschallenge.provider=cloudflare"
+      #- "--certificatesresolvers.stg.acme.email=letsencrypt@gotmylab.com"
+      #- "--certificatesresolvers.stg.acme.storage=/certs/stg/acme.json"
+      #- "--certificatesresolvers.stg.acme.httpChallenge.entryPoint=web"
+      #- "--certificatesresolvers.stg.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+
+    environment:
+      - CLOUDFLARE_EMAIL=darkman738@gmail.com
+      - CLOUDFLARE_API_KEY=$CP_KEY
+      - PGID=977
+      - PUID=988
+
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      placement:
+        constraints:
+          - node.role == manager
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+      labels:
+        - 'traefik.enable=true'
+        #- 'traefik.http.routers.traefik.rule=Host(`traefik.gotmylab.com`)'
+        - 'traefik.http.routers.traefik.tls=true'
+        - 'traefik.http.routers.traefik.tls.certresolver=le_pvt'
+        - 'traefik.http.routers.traefik.service=api@internal'
+        - 'traefik.http.services.api.loadbalancer.server.port=8080'
+        - "traefik.docker.network=traefik-public"
+        # - "traefik.http.routers.api.middlewares=authentik@file"
+        #- "traefik.http.middlewares.authentik.forwardauth.address=http://authentik:9000/outpost.goauthentik.io/auth/traefik"
+        #- "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
+        #- "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
+        #- 'traefik.http.middlewares.authelia.forwardauth.address=https://authelia:9091/api/verify/?rd=https%3A%2F%2Fauthelia.gotmylab.com%2F'
+        #- 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
+        #- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
+
+        - 'traefik.http.routers.api.entrypoints=web'
+        - 'traefik.http.services.traefik.loadbalancer.server.port=80'
+
+        # TLS
+        - "traefik.http.routers.apis.rule=Host(`traefik.gotmylab.com`)"
+        - "traefik.http.routers.apis.entrypoints=websecured"
+        - "traefik.http.routers.apis.tls.certresolver=le_pvt"
+
+        #- 'traefik.http.routers.api.service=api@internal'
+        #- 'traefik.http.routers.apis.service=api@internal'
+        #- 'traefik.http.routers.apis.middlewares=authelia'
+
+        # Redirect
+        #- "traefik.http.routers.api.middlewares=https_redirect"
+        #:- "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
+
+        # Authelia
+        #- 'traefik.http.routers.api.service=api@internal'
+        - 'traefik.http.routers.apis.service=api@internal'
+        #- 'traefik.http.routers.apis.middlewares=authelia@docker'
+  # authentik-proxy:
+  #   image: ghcr.io/goauthentik/proxy
+  #   ports:
+  #     - 9000:9000
+  #     - 9443:9443
+  #   networks:
+  #     - traefik-public
+  #   environment:
+  #     AUTHENTIK_HOST: https://authentik.gotmylab.com
+  #     AUTHENTIK_INSECURE: "false"
+  #     AUTHENTIK_TOKEN: $AUTHENTIK_TOKEN
+  #           # Starting with 2021.9, you can optionally set this too
+  #           # when authentik_host for internal communication doesn't match the public URL
+  #           # AUTHENTIK_HOST_BROWSER: https://external-domain.tld
+  #   labels:
+  #     - 'traefik.enable: true'
+  #     - 'traefik.port: 9000'
+  #     - 'traefik.http.routers.authentik.rule: Host(`authentik.gotmylab.com`) && PathPrefix(`/outpost.goauthentik.io/`)'
+  #           # `authentik-proxy` refers to the service name in the compose file.
+  #     - 'traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik'
+  #     - 'traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true'
+  #     - 'traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version'
+  #   restart: unless-stopped