update

duckdns/docker-compose.yaml

@@ -0,0 +1,12 @@
+---
+version: "2.1"
+services:
+  duckdns:
+    image: lscr.io/linuxserver/duckdns:arm32v7-version-fb872cca
+    container_name: duckdns
+    environment:
+      - SUBDOMAINS=paperless-cuong.duckdns.org,gitea-cuong.duckdns.org
+      - TOKEN=ab458b92-32a2-4fe3-b48b-182209c2f8c8
+    volumes:
+      - /media/USB1/docker/duckdns/config:/config #optional
+    restart: unless-stopped

filebrowser/.env

@@ -0,0 +1,6 @@
+# Host Pfad welcher über den Filebrowser erreichbar sein soll
+STORAGE_BASE_PATH=/media/USB1/docker/filebrowser
+
+# URL für Filebrowser
+HOST_URL=cuong.ddnss.de
+

filebrowser/docker-compose.yaml

@@ -0,0 +1,32 @@
+---
+version: "3"
+
+services:
+  filebrowser:
+    image: hurlenko/filebrowser
+    container_name: filebrowser
+    user: "1000:1000"
+    ports:
+      - 7443:8080
+    volumes:
+      - ${STORAGE_BASE_PATH}/data:/data
+      - ${STORAGE_BASE_PATH}/config:/config
+#    environment:
+#      - FB_BASEURL=/filebrowser
+    restart: always
+    labels:
+     - "traefik.enable=true"
+     - "traefik.http.routers.filebrowser.entrypoints=websecure"
+     - "traefik.http.routers.filebrowser.rule=Host(`${HOST_URL}`) && PathPrefix(`/filebrowser`)"
+     - "traefik.http.routers.filebrowser.tls=true"
+     - "traefik.http.routers.filebrowser.tls.certresolver=default"
+     - "traefik.http.routers.filebrowser.middlewares=secHeaders@file"
+     - "traefik.http.services.filebrowser.loadbalancer.server.port=8080"
+     
+    networks:
+     - traefik_proxy
+    
+networks:
+  traefik_proxy:
+    external:
+      name: traefik_proxy

gitea/.env

@@ -0,0 +1 @@
+DOMAIN_URL=gitea-cuong.duckdns.org

gitea/docker-compose.yaml

@@ -0,0 +1,36 @@
+version: "3"
+
+services:
+  gitea:
+    image: kunde21/gitea-arm
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+      - GITEA__service__DISABLE_REGISTRATION=true
+      - GITEA__service__SHOW_REGISTRATION_BUTTON=!DISABLE_REGISTRATION
+      - GITEA__server__DOMAIN=gitea-cuong.duckdns.org
+    restart: always
+    volumes:
+      - /media/USB1/docker/gitea/data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "3000:3000"
+      - "222:22"
+    labels:
+     - "traefik.enable=true"
+     - "traefik.http.routers.gitea.entrypoints=websecure"
+     - "traefik.http.routers.gitea.rule=Host(`${DOMAIN_URL}`)"
+     - "traefik.http.routers.gitea.tls=true"
+     - "traefik.http.routers.gitea.tls.certresolver=default"
+     - "traefik.http.routers.gitea.middlewares=secHeaders@file"
+     - "traefik.http.services.gitea.loadbalancer.server.port=3000"
+
+    networks:
+     - traefik_proxy
+
+networks:
+  traefik_proxy:
+    external:
+      name: traefik_proxy

heimdall/README.md

@@ -0,0 +1,12 @@
+# Heimdall
+Heimdall ist ein persönliches Dashboard um Anwendungen mit einem Klick aufrufen zu können vergleichbar mit einfachen Lesezeichen. 
+Die Anwendung hat allerdings den Vorteil, dass über APIs direkt Werte der verlinkten Applikation angezeigt werden können.
+
+![Heimdall Screenshot](https://raw.githubusercontent.com/cbirkenbeul/docker-homelab/master/ressources/img/heimdall.png)
+
+## Video
+
+[![Heimdall Video](https://img.youtube.com/vi/Dmw7nAEizWk/0.jpg)](https://www.youtube.com/watch?v=Dmw7nAEizWk)
+
+## ACHTUNG
+Wenn das Dashboard via [Traefik](https://github.com/cbirkenbeul/docker-homelab/tree/master/traefik) veröffentlicht wird, müssen auch die verlinkten Lesezeichen öffentlich einsehbar sein wenn die API angesprochen werden soll.

heimdall/docker-compose.yaml

@@ -0,0 +1,17 @@
+---
+version: '3'
+
+services:
+  heimdall:
+    image: linuxserver/heimdall:2.4.13
+    container_name: heimdall
+    restart: unless-stopped
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - /media/USB1/docker/heimdall/config:/config
+    environment:
+      - PGID=1000
+      - PUID=1000
+    ports:
+      - 8080:80

nextcloud/.env

@@ -0,0 +1,11 @@
+MYSQL_ROOT_PASSWORD=pigMysq1
+MYSQL_USER=nextcloud
+MYSQL_PASSWORD=pigMysq1
+MYSQL_DATABASE=nextcloud
+
+REDIS_PASSWORD=pigR3dis
+
+HOST_URL=cuong.ddnss.de
+STORAGE_BASE_PATH=/media/USB1/docker/nextcloud
+
+PAPERLESS_STORAGE_BASE_PATH=/media/USB1/docker/paperlessngx

nextcloud/docker-compose.yaml

@@ -0,0 +1,59 @@
+version: '3.3'
+
+services:
+  nextcloud-db:
+    image: arm64v8/mariadb:10.6
+    container_name: nextcloud-db
+    restart: always
+    security_opt:
+      - seccomp:unconfined
+      - apparmor:unconfined
+    command: mysqld --transaction-isolation=READ-COMMITTED --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --max-connections=512 --innodb-rollback-on-timeout=OFF --innodb-lock-wait-timeout=120
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - ${STORAGE_BASE_PATH}/database_var:/var/lib/mysql
+      - ${STORAGE_BASE_PATH}/database_config:/config
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
+      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
+      - MYSQL_DATABASE=${MYSQL_DATABASE}
+      - MYSQL_USER=${MYSQL_USER}
+
+  nextcloud-app:
+    image: nextcloud
+    container_name: nextcloud-app
+    restart: always
+    ports:
+      - 8888:80
+    volumes:
+      - ${STORAGE_BASE_PATH}/app:/var/www/html
+      - ${PAPERLESS_STORAGE_BASE_PATH}/consume:/var/www/paperless_consume
+      - ${PAPERLESS_STORAGE_BASE_PATH}/media/documents/archive:/media/paperless_archive
+    links:
+      - nextcloud-db
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.nextcloud.entrypoints=websecure"
+      - "traefik.http.routers.nextcloud.rule=Host(`${HOST_URL}`)"
+      - "traefik.http.routers.nextcloud.tls=true"
+      - "traefik.http.routers.nextcloud.tls.certresolver=default"
+      - "traefik.http.routers.nextcloud.middlewares=nextcloud-dav,secHeaders@file"
+      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
+      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.regex=^/.well-known/ca(l|rd)dav"
+      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement=/remote.php/dav/"
+    environment:
+      - TRUSTED_PROXIES=127.0.0.1 localhost ${HOST_URL} 
+    networks:
+      - traefik_proxy
+      - default
+
+networks:
+  traefik_proxy:
+    external:
+      name: traefik_proxy
+  default:
+    driver: bridge
+

paperless/.env

@@ -0,0 +1,4 @@
+STORAGE_BASE_PATH=/media/USB1/docker/paperlessngx
+ADMIN_USER=cuong
+ADMIN_PWD=pig!www
+DOMAIN_URL=paperless-cuong.duckdns.org

paperless/docker-compose.yaml

@@ -0,0 +1,73 @@
+version: "3.6"
+services:
+  broker:
+    image: redis:6.2
+    restart: always
+    volumes:
+      - ${STORAGE_BASE_PATH}/paperedis:/data
+    networks: 
+    - paperless  
+
+  db:
+    image: postgres:14
+    restart: always
+    volumes:
+      - ${STORAGE_BASE_PATH}/paperdb:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: paperless
+      POSTGRES_USER: paperless
+      POSTGRES_PASSWORD: paperless
+    networks: 
+    - paperless    
+
+  webserver:
+    image: ghcr.io/paperless-ngx/paperless-ngx:latest
+    restart: always
+    depends_on:
+      - db
+      - broker
+    ports:
+      - 8777:8000
+    volumes:
+      - ${STORAGE_BASE_PATH}/data:/usr/src/paperless/data
+      - ${STORAGE_BASE_PATH}/media:/usr/src/paperless/media
+      - ${STORAGE_BASE_PATH}/export:/usr/src/paperless/export
+      - ${STORAGE_BASE_PATH}/consume:/usr/src/paperless/consume
+    environment:
+      PAPERLESS_REDIS: redis://broker:6379
+      PAPERLESS_DBHOST: db
+      USERMAP_UID: 1000
+      USERMAP_GID: 1000
+      PAPERLESS_TIME_ZONE: Europe/Berlin
+      PAPERLESS_ADMIN_USER: ${ADMIN_USER}
+      PAPERLESS_ADMIN_PASSWORD: ${ADMIN_PWD}
+      PAPERLESS_OCR_LANGUAGE: deu+eng
+      PAPERLESS_URL: https://${DOMAIN_URL}
+      # generate this for each installation
+      PAPERLESS_SECRET_KEY: A2NVnENcGDYyFKaZsxc4amAU4isAP
+
+    labels:
+     - "traefik.enable=true"
+     - "traefik.http.routers.webserver.entrypoints=websecure"
+     - "traefik.http.routers.webserver.rule=Host(`${DOMAIN_URL}`)"
+     - "traefik.http.routers.webserver.tls=true"
+     - "traefik.http.routers.webserver.tls.certresolver=default"
+     - "traefik.http.routers.webserver.middlewares=secHeaders@file"
+     - "traefik.http.services.webserver.loadbalancer.server.port=8000"
+
+    networks:
+     - paperless
+     - traefik_proxy
+
+networks:
+  paperless:
+  traefik_proxy:
+    external:
+      name: traefik_proxy
+    
+volumes:
+  data:
+  media:
+  pgdata:
+  redisdata:
+

photoprism/.env

@@ -0,0 +1,3 @@
+STORAGE_BASE_PATH=/media/USB1/docker/photoprism
+
+

photoprism/docker-compose.yml

@@ -0,0 +1,147 @@
+version: '3.5'
+
+# Example Docker Compose config file for PhotoPrism (Raspberry Pi and other ARM-based devices)
+#
+# Important: You have to boot your Raspberry Pi 3 / 4 with the parameter "arm_64bit=1"
+# in config.txt to use our ARM64 image.
+#
+# Documentation : https://docs.photoprism.org/getting-started/raspberry-pi/
+# Docker Hub URL: https://hub.docker.com/r/photoprism/photoprism/
+#
+# Attention: When installing PhotoPrism on a public server outside your home network,
+# always run it behind a secure HTTPS reverse proxy like Traefik, Caddy, or NGINX.
+# Your files and passwords will be transmitted in clear text otherwise.
+#
+# DOCKER COMPOSE COMMAND REFERENCE
+# --------------------------------------------------------------------------
+# Start    | docker-compose up -d
+# Stop     | docker-compose stop
+# Update   | docker-compose pull
+# Logs     | docker-compose logs --tail=25 -f
+# Terminal | docker-compose exec photoprism bash
+# Help     | docker-compose exec photoprism photoprism help
+# Config   | docker-compose exec photoprism photoprism config
+# Reset    | docker-compose exec photoprism photoprism reset
+# Backup   | docker-compose exec photoprism photoprism backup -a -i
+# Restore  | docker-compose exec photoprism photoprism restore -a -i
+# Index    | docker-compose exec photoprism photoprism index
+# Reindex  | docker-compose exec photoprism photoprism index -f
+# Import   | docker-compose exec photoprism photoprism import
+#
+# To search originals for faces without a complete rescan:
+# docker-compose exec photoprism photoprism faces index
+#
+# All commands may have to be prefixed with "sudo" when not running as root.
+# This will point the home directory placeholder ~ to /root in volume mounts.
+#
+# More examples: https://docs.photoprism.org/getting-started/docker-compose/#command-line-interface
+
+services:
+  ## App Server (required)
+  photoprism:
+    ## photoprism/photoprism-arm64 has been replaced by a single multi-arch image for AMD64,
+    ## ARM64, and ARMv7. Use photoprism/photoprism:preview for testing preview builds or
+    ## photoprism/photoprism:latest for the stable release:
+    image: photoprism/photoprism:latest
+    container_name: pi_photoprism
+    ## Owners of ARMv7-based devices may have to explicitly specify the image architecture:
+    # platform: "linux/arm"
+    depends_on:
+      - mariadb
+    ## Only enable automatic restarts once your installation is properly
+    ## configured as it otherwise may get stuck in a restart loop,
+    ## see https://docs.photoprism.org/getting-started/faq/#why-is-photoprism-getting-stuck-in-a-restart-loop
+    # restart: unless-stopped
+    security_opt:
+      - seccomp:unconfined
+      - apparmor:unconfined
+    ## Run as a specific, non-root user (see https://docs.docker.com/engine/reference/run/#user):
+    # user: "1000:1000"
+    ports:
+      - "2342:2342" # HTTP port (host:container)
+    environment:
+      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # PLEASE CHANGE: Your initial admin password (min 4 characters)
+      PHOTOPRISM_SITE_URL: "http://localhost:2342/"  # Public server URL incl http:// or https:// and /path, :port is optional
+      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # File size limit for originals in MB (increase for high-res video)
+      PHOTOPRISM_HTTP_COMPRESSION: "none"            # Improves transfer speed and bandwidth utilization (none or gzip)
+      PHOTOPRISM_WORKERS: 2                          # Limits the number of indexing workers to reduce system load
+      PHOTOPRISM_DEBUG: "false"                      # Run in debug mode (shows additional log messages)
+      PHOTOPRISM_PUBLIC: "false"                     # No authentication required (disables password protection)
+      PHOTOPRISM_READONLY: "false"                   # Don't modify originals directory (reduced functionality)
+      PHOTOPRISM_EXPERIMENTAL: "false"               # Enables experimental features
+      PHOTOPRISM_DISABLE_CHOWN: "false"              # Disables storage permission updates on startup
+      PHOTOPRISM_DISABLE_WEBDAV: "false"             # Disables built-in WebDAV server
+      PHOTOPRISM_DISABLE_SETTINGS: "false"           # Disables Settings in Web UI
+      PHOTOPRISM_DISABLE_TENSORFLOW: "false"         # Disables all features depending on TensorFlow
+      PHOTOPRISM_DISABLE_FACES: "false"              # Disables facial recognition
+      PHOTOPRISM_DISABLE_CLASSIFICATION: "false"     # Disables image classification
+      PHOTOPRISM_DARKTABLE_PRESETS: "true"           # Enables Darktable presets and disables concurrent RAW conversion
+      # PHOTOPRISM_FFMPEG_ENCODER: "h264_v4l2m2m"    # FFmpeg AVC encoder for video transcoding (default: libx264)
+      # PHOTOPRISM_FFMPEG_BUFFERS: "64"              # FFmpeg capture buffers (default: 32)
+      PHOTOPRISM_DETECT_NSFW: "false"                # Flag photos as private that MAY be offensive
+      PHOTOPRISM_UPLOAD_NSFW: "true"                 # Allow uploads that MAY be offensive
+      # PHOTOPRISM_DATABASE_DRIVER: "sqlite"         # SQLite is an embedded database that doesn't require a server
+      PHOTOPRISM_DATABASE_DRIVER: "mysql"            # Use MariaDB 10.5+ or MySQL 8+ instead of SQLite for improved performance
+      PHOTOPRISM_DATABASE_SERVER: "mariadb:3306"     # MariaDB or MySQL database server (hostname:port)
+      PHOTOPRISM_DATABASE_NAME: "photoprism"         # MariaDB or MySQL database schema name
+      PHOTOPRISM_DATABASE_USER: "photoprism"         # MariaDB or MySQL database user name
+      PHOTOPRISM_DATABASE_PASSWORD: "insecure"       # MariaDB or MySQL database user password
+      PHOTOPRISM_SITE_TITLE: "PhotoPrism"
+      PHOTOPRISM_SITE_CAPTION: "Browse Your Life"
+      PHOTOPRISM_SITE_DESCRIPTION: ""
+      PHOTOPRISM_SITE_AUTHOR: ""
+      ## Set a non-root user, group, or custom umask if your Docker environment doesn't support this natively:
+      # PHOTOPRISM_UID: 1000
+      # PHOTOPRISM_GID: 1000
+      # PHOTOPRISM_UMASK: 0000
+      HOME: "/photoprism"
+    ## Hardware devices for video transcoding and machine learning (optional):
+    # devices:
+    #  - "/dev/video11:/dev/video11" # Video4Linux (h264_v4l2m2m)
+    working_dir: "/photoprism"
+    volumes:
+      ## The *originals* folder contains your original photo and video files (- "[host folder]:/photoprism/originals"):
+      - "${STORAGE_BASE_PATH}/originals:/photoprism/originals"
+      ## Multiple folders can be made accessible by mounting them as subfolders of /photoprism/originals:
+      # - "/mnt/Family:/photoprism/originals/Family"    # [folder 1]:/photoprism/originals/[folder 1]
+      # - "/mnt/Friends:/photoprism/originals/Friends"  # [folder 2]:/photoprism/originals/[folder 2]
+      ## You may mount an *import* folder from which files can be transferred to *originals* (optional):
+      - "${STORAGE_BASE_PATH}/import:/photoprism/import"
+      ## Cache, session, thumbnail, and sidecar files will be created in the *storage* folder (never remove):
+      - "${STORAGE_BASE_PATH}/storage:/photoprism/storage"
+
+  ## Database Server (recommended)
+  ## see https://docs.photoprism.org/getting-started/faq/#should-i-use-sqlite-mariadb-or-mysql
+  mariadb:
+    restart: unless-stopped
+    image: arm64v8/mariadb:10.6
+    container_name: pi_photoprism_db
+    security_opt:
+      - seccomp:unconfined
+      - apparmor:unconfined
+    command: mysqld --transaction-isolation=READ-COMMITTED --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --max-connections=512 --innodb-rollback-on-timeout=OFF --innodb-lock-wait-timeout=120
+    volumes:
+      - "${STORAGE_BASE_PATH}/database:/var/lib/mysql" # Never remove
+    environment:
+      MYSQL_ROOT_PASSWORD: insecure
+      MYSQL_DATABASE: photoprism
+      MYSQL_USER: photoprism
+      MYSQL_PASSWORD: insecure
+#    ports:
+#      - "3306:3306" # HTTP port (host:container)
+
+#  teedy-server:
+#    image: sismics/docs:v1.9
+#    restart: unless-stopped
+#    ports:
+      # Map internal port to host
+#      - 8080:8080
+#    environment:
+      # Base url to be used
+#      DOCS_BASE_URL: "https://docs.example.com"
+      # Set the admin email
+#      DOCS_ADMIN_EMAIL_INIT: "admin@example.com"
+      # Set the admin password (in this example: "superSecure")
+#      DOCS_ADMIN_PASSWORD_INIT: "$$2a$$05$$PcMNUbJvsk7QHFSfEIDaIOjk1VI9/E7IPjTKx.jkjPxkx2EOKSoPS"
+#    volumes:
+#      - /media/USB1/teddy-data:/data

traefik/README.md

@@ -0,0 +1,52 @@
+# Traefik
+
+Traefik ist ein reverse proxy mit der Möglichkeit via Let's encrypt Zertifikate zu erstellen und automatisch zu verlängern. Traefik hat den Vorteil, dass es komplett via Docker steuerbar ist und somit keine weiteren Einstellungen notwendig sind.
+
+# WICHTIG!
+Die Konfiguration für Traefik zieht die Sicherheitsanforderungen ziemlich an. Hiermit eine ein Rating von A+ beim [SSLLabs Test](https://www.ssllabs.com/ssltest) erreicht.
+
+Es werden nur aktuelle Browser unterstützt! Sollte das nicht gewollt sein, muss die 
+providers.yml Datei angepasst werden. 
+
+# Vorbereitung
+Um Traefik mit meinen Dateien nutzen zu können muss folgendes durchgeführt werden
+
+## Netzwerk anlegen
+```bash
+docker network create traefik_proxy
+```
+
+## ACME Verzeichnis
+Traefik speichert alle notwendigen Informationen zu den Zertifikaten als JSON im ACME Verzeichnis. Dieses Verzeichnis benötigt besondere Rechte.
+
+```bash
+cd config/ACME
+chmod 600 acme.json
+```
+
+# Dashboard
+Um das Dashboard nutzen zu können muss die Sektion "label" in der Docker-Compose Datei auskommentiert werden. Es ist darauf zu achten, dass die Einrückungen stimmen; dazu kann sich an den anderen Sektionen orientiert werden. Anschließend muss man noch Benutzer
+und Passwort für das Dashboard erstellen. Hierzu ist ````apache2-utils```` erforderlich.
+````bash
+sudo apt install apache2-utils -y
+````
+
+Nun erstellen wir mit folgendem Befehl die Benutzer/Passwort Kombination (die spitzen Klammern <> sind ebenfalls zu ersetzen): 
+
+````bash
+echo $(htpasswd -nbB <USER> "<PASS>") | sed -e s/\\$/\\$\\$/g
+````
+ Nachdem der Befehl ausgeführt wurde, gibt die Konsole eine Zeile mit dem generierten Benutzernamen:Passphrase aus. Diese Zeile ist zu kopieren und in die docker-compose.yaml bei folgendem Label einzutragen:
+
+````bash
+- "traefik.http.middlewares.api-auth.basicauth.users=user:generatedPass"
+````
+
+Des Weiteren ist die Domain anzupassen:
+
+````bash
+- "traefik.http.routers.api.rule=Host(`traefik.example.com`) && PathPrefix(`/dashboard`)"
+````
+
+Anschließend kann der Container gestartet werden. Das Dashboard ist unter der gewählten URL und Port und dem Unterverzeichnis "/dashboard" erreichbar. Abgeleitet aus dem aktuellen Beispiel:
+https://traefik.example.com:8180/dashboard

traefik/compose-info.yaml

@@ -0,0 +1,2 @@
+name: Traefik
+description: Traefik is a reverse proxy for config as code deployment

traefik/config/dynamic.yml

@@ -0,0 +1,50 @@
+---
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      sniStrict: true
+      cipherSuites:
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+    mintls13:
+      minVersion: VersionTLS13
+
+http:
+  middlewares:
+    secHeaders:
+      headers:
+        browserXssFilter: true
+        contentTypeNosniff: true
+        frameDeny: true
+        sslRedirect: true
+        #  HSTS Configuration
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
+        customRequestHeaders:
+          X-Frame-Options: "SAMEORIGIN"
+        customFrameOptionsValue: "SAMEORIGIN"
+
+#  Beispiel für externe Dienste
+#   routers:
+#     router-1: # Tausche den Namen gegen etwas sprechendes aus
+#       entryPoints:
+#         - websecure
+#       rule: "Host(`example.com`)"
+#       service: "service-1" # Den Namen am besten ähnlich zu dem oben setzen
+#       tls:
+#         certresolver: default
+
+#  services:
+#    service-1: # Ich verwende hier den gleiche Namen wie bei routers
+#      loadBalancer:
+#        servers:
+#          - url: "http://127.0.0.1" # Auf die richtige URL anpassen.

traefik/config/traefik.toml

@@ -0,0 +1,36 @@
+[accessLog]
+  filePath = "/logs/access.log"
+
+[log]
+  level = "INFO"
+  filePath = "/logs/traefik.log"
+
+[providers]
+  [providers.docker]
+    exposedByDefault = false
+    endpoint = "unix:///var/run/docker.sock"
+    network = "traefik_proxy"
+  [providers.file]
+    filename = "/etc/traefik/dynamic.yml"
+    
+[api]
+  dashboard = true
+
+# https://doc.traefik.io/traefik/routing/entrypoints/#redirection
+[entryPoints.web]
+  address = ":80"
+
+  [entryPoints.web.http]
+    [entryPoints.web.http.redirections]
+      [entryPoints.web.http.redirections.entryPoint]
+        to = "websecure"
+        scheme = "https"
+
+[entryPoints.websecure]
+  address = ":443"
+
+[certificatesResolvers]
+  [certificatesResolvers.default.acme]
+    email = "chicuong71@gmail.com" #Email Adresse hier anpassen
+    storage = "/etc/traefik/ACME/acme.json"
+    [certificatesResolvers.default.acme.tlsChallenge]

traefik/docker-compose.yaml

@@ -0,0 +1,34 @@
+version: '3.7'
+
+services:
+  traefik:
+    image: traefik:v2.10.4
+    container_name: traefik
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./config:/etc/traefik
+      - ./logs/:/logs/
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.rule=Host(`cuong.ddnss.de`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - "traefik.http.routers.traefik.tls.certresolver=default"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.routers.traefik.middlewares=auth@docker"
+      - "traefik.http.middlewares.auth.basicauth.users=admin:$$2y$$05$$naCI/oZP7OfQXuvP6S20O.UZUlOt.ir6fJGX4Akqi6qw5jtxWeZEm" # Siehe Anleitung
+    networks:
+      - traefik_proxy
+      - default
+    ports:
+      - "80:80"
+      - "443:443"
+    restart: always
+
+networks:
+  traefik_proxy:
+    external:
+      name: traefik_proxy
+  default:
+    driver: bridge

uptime/docker-compose.yaml

@@ -0,0 +1,11 @@
+version: '3.8'
+
+services:
+  uptime-kuma:
+    image: louislam/uptime-kuma:1
+    container_name: uptime-kuma
+    volumes:
+      - /media/USB1/docker/uptime/data:/app/data
+    ports:
+      - "3001:3001"  # <Host Port>:<Container Port>
+    restart: always

vaultwarden/.env

@@ -0,0 +1,14 @@
+#Die Domain, die an Traefik als Host übergeben wird, beispielsweise bitwarden.example.com. Tragen Sie hier die DynDNS-Adresse ein, die Sie angelegt haben. 
+BITWARDEN_URL=vaultcuong.ddnss.de
+
+#WebSockets ist notwendig für Bitwarden-Live-Sync
+WEBSOCKET_ENABLED=true
+
+#Erzeugen Sie mit 'openssl rand -base64 48 | tr -d /=' ein Admin-Token.
+ADMIN_TOKEN=MTZRNK2u7z+6ldN5YcTz05f0lGOqzAQUBWBHRVE8ylTEEP9YyTc
+
+STORAGE_BASE_PATH=/media/USB1/docker/vaultwarden
+
+HOST_URL=cuong.ddnss.de
+
+DOMAIN=https://cuong.ddnss.de/vault/

vaultwarden/docker-compose.yml

@@ -0,0 +1,45 @@
+
+---
+version: "3"
+
+services:
+  bitwarden:
+    image: vaultwarden/server:1.25.2
+    container_name: vaultwarden
+    restart: unless-stopped
+    volumes:
+      - ${STORAGE_BASE_PATH}:/data
+    ports:
+      - 8099:80
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.bitwarden.rule=Host(`${HOST_URL}`) && (PathPrefix(`/vault`))"
+      - "traefik.http.routers.bitwarden.entrypoints=websecure"
+      - "traefik.http.routers.bitwarden.tls.certresolver=default"
+      - "traefik.http.services.bitwarden.loadbalancer.server.port=80"
+      - "traefik.http.routers.bitwarden.service=bitwarden"
+      - "traefik.http.routers.bitwarden_admin.rule=Host(`${HOST_URL}`) && (PathPrefix(`/vault/admin`))"
+      - "traefik.http.routers.bitwarden_admin.entrypoints=websecure"
+      - "traefik.http.routers.bitwarden_admin.tls.certresolver=default"
+      - "traefik.http.services.bitwarden_admin.loadbalancer.server.port=80"
+      - "traefik.http.routers.bitwarden_admin.service=bitwarden_admin"
+      - "traefik.http.routers.bitwarden.middlewares=secHeaders@file"
+      - "traefik.http.routers.bitwarden_websocket-secure.entrypoints=websecure"
+      - "traefik.http.routers.bitwarden_websocket-secure.rule=Host(`${HOST_URL}`) && Path(`/vault/notifications/hub`)"
+      - "traefik.http.routers.bitwarden_websocket-secure.tls=true"
+      - "traefik.http.routers.bitwarden_websocket-secure.service=bitwarden_websocket"
+      - "traefik.http.services.bitwarden_websocket.loadbalancer.server.port=3012"
+    environment:
+#      - "ADMIN_TOKEN=MTZRNK2u7z+6ldN5YcTz05f0lGOqzAQUBWBHRVE8ylTEEP9YyTc"
+      - "ADMIN_TOKEN=${ADMIN_TOKEN}"
+      - "WEBSOCKET_ENABLED=true"
+      - "WEB_VAULT_ENABLED=true"
+      - "DOMAIN=${DOMAIN}"
+      - "SIGNUPS_ALLOWED=false"
+    networks:
+      - traefik_proxy
+
+networks:
+  traefik_proxy:
+    external:
+      name: traefik_proxy