add watchtower

This reverts commit 9bd0dcd73b.

.gitignore

@@ -1 +1,9 @@
 .idea
+pihole/docker-compose/pihole/.env
+ldap/docker-compose/ldap/.env
+vaultwarden/docker-compose/vaultwarden/vw-data/
+
+/servarr/docker-compose/servarr/services/prowlarr/config/
+/servarr/docker-compose/servarr/services/sonarr/config/
+/servarr/docker-compose/servarr/services/qbittorrent/config/
+/jellyfin/docker-compose/jellyfin/config/

dashboard/docker-compose/dashboard/docker-compose.yaml

@@ -0,0 +1,33 @@
+#---------------------------------------------------------------------#
+#     Homarr - A simple, yet powerful dashboard for your server.      #
+#---------------------------------------------------------------------#
+services:
+  homarr:
+    container_name: homarr
+    labels:
+      - "traefik.enable=true"
+      - traefik.docker.network=traefik_traefik
+      - traefik.http.routers.dashboard-private.rule=Host(`dashboard.local`)
+      - traefik.http.routers.dashboard-private.entrypoints=web
+      - traefik.http.routers.dashboard-private.service=dashboard-private
+      - traefik.http.services.dashboard-private.loadbalancer.server.port=7575
+    image: ghcr.io/homarr-labs/homarr:latest
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock # Optional, only if you want docker integration
+      - homarr_data:/appdata
+    environment:
+      - SECRET_ENCRYPTION_KEY=8bfcd12a5055f792d783a2b2bffc1234a88e1589801fa48d92da0c76facefacc
+    ports:
+      - '7575:7575'
+    networks:
+      - traefik_traefik
+
+
+volumes:
+  homarr_data: {}
+
+
+networks:
+  traefik_traefik:
+    external: true

environments/infra/Jenkinsfile

@@ -0,0 +1,19 @@
+pipeline {
+    agent any
+
+    stages {
+
+         stage('Restart') {
+            steps {
+              sshPublisher(publishers: [sshPublisherDesc(configName: 'infra.1', transfers: [sshTransfer(cleanRemote: false, excludes: '', execCommand: '''
+              logger -t jenkins-ssh-publisher "Restarting infra environment"
+              pwd
+              cd /home/rschneider/infra/
+              git pull
+              cd environments/infra
+              bash ./restart.sh
+              ''', execTimeout: 120000, flatten: false, makeEmptyDirs: false, noDefaultExcludes: false, patternSeparator: '[, ]+', remoteDirectory: '//home/rschneider/infra/', remoteDirectorySDF: false, removePrefix: '', sourceFiles: '')], usePromotionTimestamp: false, useWorkspaceInPromotion: false, verbose: false)])
+            }
+        }
+    }
+}

environments/infra/restart.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+log() {
+  echo "$1"
+  logger -t infra-update "$1"
+}
+
+PROJECT_ROOT=$(readlink -f "$(dirname "$(realpath "$0")")/../..")
+log "Project root directory: $PROJECT_ROOT"
+
+# Restart all projects except 'traefik' and 'jenkins'
+for dir in $(find "$PROJECT_ROOT" -mindepth 3 -maxdepth 3 -not -path "*/docker-compose/*/*"  -type d -path "*/docker-compose/*" | grep -v "/traefik/docker-compose/traefik" | grep -v "/jenkins/docker-compose/jenkins"); do
+  log "Processing directory: $dir"
+  cd "$dir" || { log "Failed to enter directory: $dir"; continue; }
+
+  # Execute docker compose commands
+  if [ -f "docker-compose.yml" ] || [ -f "docker-compose.yaml" ]; then
+    log "Running docker compose down && docker compose up -d in $dir"
+    docker compose down && docker compose up -d
+  else
+    log "No docker-compose file found in $dir, skipping..."
+  fi
+
+  # Return to the project root
+  cd "$PROJECT_ROOT" || exit
+done
+
+# Restart 'traefik' project last
+TRAEFIK_DIR=$(find "$PROJECT_ROOT" -mindepth 3 -maxdepth 3 -not -path "*/docker-compose/*/*" -type d -path "*/traefik/docker-compose/traefik")
+if [ -n "$TRAEFIK_DIR" ]; then
+  log "Processing traefik directory: $TRAEFIK_DIR"
+  cd "$TRAEFIK_DIR" || { log "Failed to enter traefik directory: $TRAEFIK_DIR"; exit 1; }
+
+  # Execute docker compose commands
+  if [ -f "docker-compose.yml" ] || [ -f "docker-compose.yaml" ]; then
+    log "Running docker compose down && docker compose up -d in $TRAEFIK_DIR"
+    docker compose down && docker compose up -d
+  else
+    log "No docker-compose file found in $TRAEFIK_DIR, skipping..."
+  fi
+fi

gitea/docker-compose/gitea/docker-compose.yml

@@ -1,12 +1,21 @@
 version: "3"
 
 networks:
-  gitea:
-    external: false
+  traefik_traefik:
+    external: true
 
 services:
   server:
-    image: gitea/gitea:1.22.2
+    labels:
+      - traefik.http.routers.gitea.rule=Host(`gitea.rschneider.net`)
+      - traefik.http.routers.gitea.tls=true
+      - traefik.http.services.gitea.loadbalancer.server.port=3000
+      - traefik.http.routers.gitea.service=gitea
+      - traefik.http.routers.gitea-public.rule=Host(`gitea.rschneider.hu`)
+      - traefik.http.routers.gitea-public.tls=true
+      - traefik.http.routers.gitea-public.service=gitea-public
+      - traefik.http.services.gitea-public.loadbalancer.server.port=3000
+    image: gitea/gitea:1.25.4
     container_name: gitea
     environment:
       - USER_UID=1000
@@ -17,9 +26,10 @@ services:
       - GITEA__database__USER=gitea
       - GITEA__database__PASSWD=gitea
       - GITEA__service__DISABLE_REGISTRATION=true
+      - GITEA__migrations_ALLOWED_DOMAINS=*
     restart: always
     networks:
-      - gitea
+      - traefik_traefik
     volumes:
       - gitea:/data
       - /etc/timezone:/etc/timezone:ro
@@ -38,7 +48,7 @@ services:
       - POSTGRES_PASSWORD=gitea
       - POSTGRES_DB=gitea
     networks:
-      - gitea
+      - traefik_traefik
     volumes:
         - db:/var/lib/postgresql/data
 

grafana/docker-compose/grafana/docker-compose.yaml

@@ -0,0 +1,30 @@
+
+services:
+  grafana:
+    labels:
+      - traefik.http.routers.grafana.rule=Host(`grafana.rschneider.net`)
+      - traefik.http.routers.grafana.tls=true
+      - traefik.http.routers.grafana.service=grafana
+      - traefik.http.services.grafana.loadbalancer.server.port=3000
+      - traefik.http.routers.grafana-public.rule=Host(`grafana.rschneider.hu`)
+      - traefik.http.routers.grafana-public.tls=true
+      - traefik.http.routers.grafana-public.service=grafana-public
+      - traefik.http.services.grafana-public.loadbalancer.server.port=3000
+    image: grafana/grafana-enterprise
+    container_name: grafana
+    restart: unless-stopped
+    ports:
+      - '4116:3000'
+    volumes:
+      - grafana-storage:/var/lib/grafana
+    environment:
+      - GF_INSTALL_PLUGINS=grafana-clock-panel
+    networks:
+      traefik_traefik:
+
+volumes:
+  grafana-storage: {}
+
+networks:
+  traefik_traefik:
+    external: true

grafana/jenkins/Jenkinsfile

@@ -0,0 +1,26 @@
+pipeline {
+    agent any
+
+    stages {
+        stage('Git pull && docker compose restart') {
+            steps {
+                sshPublisher(publishers: [sshPublisherDesc(configName: 'infra.1', transfers: [sshTransfer(cleanRemote: false, excludes: '', execCommand: '''cd /home/rschneider/infra
+                git pull
+                cd /home/rschneider/infra/grafana/docker-compose/grafana
+                docker compose down
+                docker compose up -d
+                ''', execTimeout: 120000,
+                flatten: false,
+                makeEmptyDirs: false,
+                noDefaultExcludes: false,
+                patternSeparator: '[, ]+',
+                remoteDirectory: '',
+                remoteDirectorySDF: false,
+                removePrefix: '', sourceFiles: '')],
+                usePromotionTimestamp: false,
+                useWorkspaceInPromotion: false,
+                verbose: true)])
+            }
+        }
+    }
+}

immich/docker-compose/immich/.env

@@ -0,0 +1,21 @@
+# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables
+
+# The location where your uploaded files are stored
+UPLOAD_LOCATION=immich
+# The location where your database files are stored
+DB_DATA_LOCATION=postgres
+
+# To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
+TZ=Europe/Budapest
+
+# The Immich version to use. You can pin this to a specific version like "v1.71.0"
+IMMICH_VERSION=release
+
+# Connection secret for postgres. You should change it to a random password
+# Please use only the characters `A-Za-z0-9`, without special characters or spaces
+DB_PASSWORD=postgres
+
+# The values below this line do not need to be changed
+###################################################################################
+DB_USERNAME=postgres
+DB_DATABASE_NAME=immich

immich/docker-compose/immich/docker-compose.yml

@@ -0,0 +1,119 @@
+#
+# WARNING: To install Immich, follow our guide: https://immich.app/docs/install/docker-compose
+#
+# Make sure to use the docker-compose.yml of the current release:
+#
+# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
+#
+# The compose file on main may not be compatible with the latest release.
+
+name: immich
+
+services:
+  immich-server:
+    labels:
+      - "traefik.enable=true"
+      - traefik.docker.network=traefik_traefik
+      - traefik.http.routers.immich-public.rule=Host(`immich.rschneider.hu`)
+      - traefik.http.routers.immich-public.tls=true
+      - traefik.http.routers.immich-public.entrypoints=web, websecure
+      - traefik.http.routers.immich-public.service=immich-public
+      - traefik.http.services.immich-public.loadbalancer.server.port=2283
+    container_name: immich_server
+    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
+    # extends:
+    #   file: hwaccel.transcoding.yml
+    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
+    volumes:
+      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
+      - ${UPLOAD_LOCATION}:/usr/src/app/upload
+      - /etc/localtime:/etc/localtime:ro
+    env_file:
+      - .env
+    ports:
+      - '4119:2283'
+    depends_on:
+      - redis
+      - database
+    restart: always
+    healthcheck:
+      disable: false
+    networks:
+      - traefik_traefik
+      - immich
+
+
+  immich-machine-learning:
+    container_name: immich_machine_learning
+    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
+    # Example tag: ${IMMICH_VERSION:-release}-cuda
+    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
+    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
+    #   file: hwaccel.ml.yml
+    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
+    volumes:
+      - model-cache:/cache
+    env_file:
+      - .env
+    networks:
+      - immich
+    restart: always
+    healthcheck:
+      disable: false
+
+  redis:
+    container_name: immich_redis
+    image: docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8
+    healthcheck:
+      test: redis-cli ping || exit 1
+    restart: always
+    networks:
+      - immich
+
+  database:
+    container_name: immich_postgres
+    image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52
+    environment:
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGRES_USER: ${DB_USERNAME}
+      POSTGRES_DB: ${DB_DATABASE_NAME}
+      POSTGRES_INITDB_ARGS: '--data-checksums'
+    volumes:
+      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
+      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
+    networks:
+      - immich
+    healthcheck:
+      test: >-
+        pg_isready --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" || exit 1;
+        Chksum="$$(psql --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" --tuples-only --no-align
+        --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')";
+        echo "checksum failure count is $$Chksum";
+        [ "$$Chksum" = '0' ] || exit 1
+      interval: 5m
+      start_interval: 30s
+      start_period: 5m
+    command: >-
+      postgres
+      -c shared_preload_libraries=vectors.so
+      -c 'search_path="$$user", public, vectors'
+      -c logging_collector=on
+      -c max_wal_size=2GB
+      -c shared_buffers=512MB
+      -c wal_compression=on
+    restart: always
+
+volumes:
+  model-cache:
+  postgres:
+  immich:
+    driver_opts:
+      type: "nfs"
+      o: "addr=192.168.2.57,nolock,soft,rw"
+      device: ":/schneider/photos"
+
+networks:
+  immich:
+  traefik_traefik:
+    external: true
+

immich/jenkins/Jenkinsfile

@@ -0,0 +1,27 @@
+
+pipeline {
+    agent any
+
+    stages {
+        stage('Git pull && docker compose restart') {
+            steps {
+                sshPublisher(publishers: [sshPublisherDesc(configName: 'infra.1', transfers: [sshTransfer(cleanRemote: false, excludes: '', execCommand: '''cd /home/rschneider/infra
+                git pull
+                cd /home/rschneider/infra/immich/docker-compose/immich
+                docker compose down
+                docker compose up -d
+                ''', execTimeout: 120000,
+                flatten: false,
+                makeEmptyDirs: false,
+                noDefaultExcludes: false,
+                patternSeparator: '[, ]+',
+                remoteDirectory: '',
+                remoteDirectorySDF: false,
+                removePrefix: '', sourceFiles: '')],
+                usePromotionTimestamp: false,
+                useWorkspaceInPromotion: false,
+                verbose: true)])
+            }
+        }
+    }
+}

jenkins/docker-compose/jenkins/docker-compose.yaml

@@ -1,7 +1,17 @@
 
 services:
   jenkins:
-    image: nexus.rschneider.hu/repo1/infra/jenkins:1.0.1
+    labels:
+      - traefik.http.routers.jenkins-internal.rule=Host(`internal.jenkins.rschneider.hu`)
+      - traefik.http.routers.jenkins-internal.tls=true
+      - traefik.http.routers.jenkins-internal.entrypoints=web, websecure
+      - traefik.http.services.jenkins-internal.loadbalancer.server.port=8080
+      - traefik.http.routers.jenkins-internal.service=jenkins-internal
+      - traefik.http.routers.jenkins-public.rule=Host(`jenkins.rschneider.hu`)
+      - traefik.http.routers.jenkins-public.tls=true
+      - traefik.http.routers.jenkins-public.service=jenkins-public
+      - traefik.http.services.jenkins-public.loadbalancer.server.port=8080
+    image: docker.rschneider.hu/infra/jenkins:2.480-offical
     restart: always
     ports:
       - "4112:8080"
@@ -9,10 +19,18 @@ services:
       - jenkins_home:/var/jenkins_home
       - /var/run/docker.sock:/var/run/docker.sock
       - mvn_repository:/mvn/repository
+    networks:
+      traefik_traefik:
   ssh-agent:
     image: jenkins/ssh-agent
+    networks:
+      traefik_traefik:
 
 
+networks:
+  traefik_traefik:
+    external: true
+
 volumes:
   jenkins_home:
   mvn_repository:

jenkins/docker/Dockerfile

@@ -1,4 +1,4 @@
-FROM jenkins:2.60.3
+FROM jenkins/jenkins:2.480
 
 # Install docker
 USER root
@@ -14,7 +14,7 @@ ENV DOCKER_HOST=unix:///var/run/docker.sock
 
 # Give user `jenkins` permission to use the docker daemon. The group ID of the created `docker`
 # group matches with the ID of the docker group on the MMKB core server
-RUN groupadd --gid 999 docker
+RUN groupadd --gid 1001 docker
 RUN usermod -aG docker jenkins
 
 # Import the CA Certificate needed for company GitLab into the JVM TrustStore to make it known to Jenkins

jenkins/docker/script/docker.build.sh

@@ -3,7 +3,7 @@
 CURRENT_DIR=$(dirname "$0")
 DOCKER_CONTEXT_DIR=$(readlink -f "$CURRENT_DIR/..");
 
-tag="nexus.rschneider.hu/repo1/infra/jenkins:1.0.1"
+tag="docker.rschneider.hu/infra/jenkins:2.480-offical"
 
-docker build --tag $tag . \
+docker build --tag $tag "${DOCKER_CONTEXT_DIR}" \
     && docker push $tag

keycloak/docker-compose/keycloak/docker-compose.yaml

@@ -1,8 +1,13 @@
 
 services:
   keycloak-web:
+    labels:
+      - traefik.http.routers.keycloak.rule=Host(`keycloak.rschneider.net`)
+      - traefik.http.routers.keycloak.tls=true
+      - traefik.http.services.keycloak.loadbalancer.server.port=8080
     platform: linux/amd64
-    image: quay.io/keycloak/keycloak:24.0.4
+    image: quay.io/keycloak/keycloak:26.5.2
+    restart: always
     volumes:
       - ./services/keycloak/themes:/opt/keycloak/themes
     environment:
@@ -24,7 +29,7 @@ services:
 #    command: start-dev --import-realm
     #    command: start-dev
     depends_on:
-      - keycloak-db
+      - traefik_traefik
     ports:
       - 4107:8080
     networks:
@@ -33,8 +38,9 @@ services:
   keycloak-db:
     platform: linux/amd64
     image: mariadb:10.11.8
+    restart: always
     networks:
-      - keycloak-network
+      - traefik_traefik
     environment:
       MARIADB_ROOT_PASSWORD: root
       MARIADB_DATABASE: keycloak
@@ -42,10 +48,9 @@ services:
       - keycloak-db-1:/var/lib/mysql
       - ./services/db/mariadb/conf.d:/etc/mysql/conf.d
 
-
-
 networks:
-  keycloak-network:
+  traefik_traefik:
+    external: true
 
 volumes:
   keycloak-db-1:

ldap/docker-compose/ldap/docker-compose.yaml

@@ -1,7 +1,12 @@
 version: '3.7'
 services:
   openldap:
+    labels:
+      - traefik.http.routers.ldap.rule=Host(`ldap.rschneider.net`)
+      - traefik.http.routers.ldap.tls=true
+      - traefik.http.services.ldap.loadbalancer.server.port=389
     image: osixia/openldap:latest
+    restart: always
     container_name: openldap
     hostname: openldap
     ports:
@@ -25,10 +30,15 @@ services:
         - LDAP_READONLY_USER_USERNAME=user-ro
         - LDAP_READONLY_USER_PASSWORD=${LDAP_RO_PASSWORD}
     networks:
-      - openldap
+      - traefik_traefik
 
   phpldapadmin:
+    labels:
+      - traefik.http.routers.phpldap.rule=Host(`phpldap.rschneider.net`)
+      - traefik.http.routers.phpldap.tls=true
+      - traefik.http.services.phpldap.loadbalancer.server.port=80
     image: osixia/phpldapadmin:latest
+    restart: always
     container_name: phpldapadmin
     hostname: phpldapadmin
     ports:
@@ -39,11 +49,11 @@ services:
     depends_on:
       - openldap
     networks:
-      - openldap
+      traefik_traefik:
 
 networks:
-  openldap:
-    driver: bridge
+  traefik_traefik:
+    external: true
 
 volumes:
   ldap_config:

loki/docker-compose/loki/docker-compose.yaml

@@ -0,0 +1,27 @@
+version: '3.8'
+
+services:
+  loki:
+    image: grafana/loki:3.0.0                       # Specifies the Loki Docker image and version.
+    container_name: loki                            # Names the container for easier management.
+    volumes:
+      - ./loki-config.yaml:/mnt/config/loki-config.yaml # Mounts the Loki configuration file.
+      - loki_data:/tmp
+    ports:
+      - "4118:3100"                                 # Maps port 3100 on the host to port 3100 in the container.
+    command: -config.file=/mnt/config/loki-config.yaml # Runs Loki with the specified configuration file.
+    restart: unless-stopped
+
+  promtail:
+    image: grafana/promtail:3.0.0                   # Specifies the Promtail Docker image and version.
+    container_name: promtail                        # Names the container for easier management.
+    volumes:
+      - ./promtail-config.yaml:/mnt/config/promtail-config.yaml # Mounts the Promtail configuration file.
+      - /var/log:/var/log                           # Mounts the host's log directory.
+    depends_on:
+      - loki                                       # Ensures Promtail starts after Loki.
+    command: -config.file=/mnt/config/promtail-config.yaml # Runs Promtail with the specified configuration file.
+    restart: unless-stopped
+
+volumes:
+  loki_data: {}

loki/docker-compose/loki/loki-config.yaml

@@ -0,0 +1,50 @@
+auth_enabled: false
+
+server:
+  http_listen_port: 3100
+  grpc_listen_port: 9096
+
+common:
+  instance_addr: 127.0.0.1
+  path_prefix: /tmp/loki
+  storage:
+    filesystem:
+      chunks_directory: /tmp/loki/chunks
+      rules_directory: /tmp/loki/rules
+  replication_factor: 1
+  ring:
+    kvstore:
+      store: inmemory
+
+query_range:
+  results_cache:
+    cache:
+      embedded_cache:
+        enabled: true
+        max_size_mb: 100
+
+schema_config:
+  configs:
+    - from: 2020-10-24
+      store: tsdb
+      object_store: filesystem
+      schema: v13
+      index:
+        prefix: index_
+        period: 24h
+
+ruler:
+  alertmanager_url: http://localhost:9093
+
+# By default, Loki will send anonymous, but uniquely-identifiable usage and configuration
+# analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/
+#
+# Statistics help us better understand how Loki is used, and they show us performance
+# levels for most users. This helps us prioritize features and documentation.
+# For more information on what's sent, look at
+# https://github.com/grafana/loki/blob/main/pkg/analytics/stats.go
+# Refer to the buildReport method to see what goes into a report.
+#
+# If you would like to disable reporting, uncomment the following lines:
+analytics:
+  reporting_enabled: false

loki/docker-compose/loki/promtail-config.yaml

@@ -0,0 +1,18 @@
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+
+positions:
+  filename: /tmp/positions.yaml
+
+clients:
+  - url: http://loki:3100/loki/api/v1/push
+
+scrape_configs:
+- job_name: system
+  static_configs:
+  - targets:
+      - localhost
+    labels:
+      job: varlogs
+      __path__: /var/log/*log

loki/jenkins/Jenkinsfile

@@ -0,0 +1,26 @@
+pipeline {
+    agent any
+
+    stages {
+        stage('Git pull && docker compose restart') {
+            steps {
+                sshPublisher(publishers: [sshPublisherDesc(configName: 'infra.1', transfers: [sshTransfer(cleanRemote: false, excludes: '', execCommand: '''cd /home/rschneider/infra
+                git pull
+                cd /home/rschneider/infra/loki/docker-compose/loki
+                docker compose down
+                docker compose up -d
+                ''', execTimeout: 120000,
+                flatten: false,
+                makeEmptyDirs: false,
+                noDefaultExcludes: false,
+                patternSeparator: '[, ]+',
+                remoteDirectory: '',
+                remoteDirectorySDF: false,
+                removePrefix: '', sourceFiles: '')],
+                usePromotionTimestamp: false,
+                useWorkspaceInPromotion: false,
+                verbose: true)])
+            }
+        }
+    }
+}

nextcloud/docker-compose/nextcloud/docker-compose.yaml

@@ -0,0 +1,56 @@
+version: '2'
+
+volumes:
+  nextcloud:
+    driver_opts:
+      type: "nfs"
+      o: "addr=192.168.2.57,nolock,soft,rw"
+      device: ":/schneider/nextcloud"
+  db:
+
+services:
+  db:
+    image: mariadb:10.6
+    restart: always
+    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
+    volumes:
+      - db:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=root
+      - MYSQL_PASSWORD=nextcloud
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+    networks:
+      nextcloud:
+
+  app:
+    labels:
+      - traefik.http.routers.nextcloud.rule=Host(`internal.nextcloud.rschneider.hu`)
+      - traefik.http.routers.nextcloud.tls=true
+      - traefik.http.routers.nextcloud.service=nextcloud
+      - traefik.http.services.nextcloud.loadbalancer.server.port=80
+      - traefik.http.routers.nextcloud-public.rule=Host(`nextcloud.rschneider.hu`)
+      - traefik.http.routers.nextcloud-public.tls=true
+      - traefik.http.routers.nextcloud-public.service=nextcloud-public
+      - traefik.http.services.nextcloud-public.loadbalancer.server.port=80
+    image: nextcloud
+    restart: always
+    ports:
+      - 4115:80
+    links:
+      - db
+    volumes:
+      - nextcloud:/var/www/html
+    environment:
+      - MYSQL_PASSWORD=nextcloud
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+      - MYSQL_HOST=db
+    networks:
+      nextcloud:
+      traefik_traefik:
+
+networks:
+  nextcloud: {}
+  traefik_traefik:
+    external: true

nextcloud/jenkins/Jenkinsfile

@@ -0,0 +1,26 @@
+pipeline {
+    agent any
+
+    stages {
+        stage('Git pull && docker compose restart') {
+            steps {
+                sshPublisher(publishers: [sshPublisherDesc(configName: 'infra.1', transfers: [sshTransfer(cleanRemote: false, excludes: '', execCommand: '''cd /home/rschneider/infra
+                git pull
+                cd /home/rschneider/infra/nextcloud/docker-compose/nextcloud
+                docker compose down
+                docker compose up -d
+                ''', execTimeout: 120000,
+                flatten: false,
+                makeEmptyDirs: false,
+                noDefaultExcludes: false,
+                patternSeparator: '[, ]+',
+                remoteDirectory: '',
+                remoteDirectorySDF: false,
+                removePrefix: '', sourceFiles: '')],
+                usePromotionTimestamp: false,
+                useWorkspaceInPromotion: false,
+                verbose: true)])
+            }
+        }
+    }
+}

nextcloud/rschneider@hu/nextcloud.rschneider.hu.conf

@@ -0,0 +1,80 @@
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
+server {
+    listen 80;
+    listen [::]:80;            # comment to disable IPv6
+
+    if ($scheme = "http") {
+        return 301 https://$host$request_uri;
+    }
+    if ($http_x_forwarded_proto = "http") {
+        return 301 https://$host$request_uri;
+    }
+
+    listen 443 ssl http2;      # for nginx versions below v1.25.1
+    listen [::]:443 ssl http2; # for nginx versions below v1.25.1 - comment to disable IPv6
+
+    # listen 443 ssl;      # for nginx v1.25.1+
+    # listen [::]:443 ssl; # for nginx v1.25.1+ - keep comment to disable IPv6
+    # http2 on;            # uncomment to enable HTTP/2 - supported on nginx v1.25.1+
+
+    # listen 443 quic reuseport;       # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport
+    # listen [::]:443 quic reuseport;  # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport - keep comment to disable IPv6
+    # http3 on;                                 # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
+    # quic_gso on;                              # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
+    # quic_retry on;                            # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
+    # quic_bpf on;                              # improves  HTTP/3 / QUIC - supported on nginx v1.25.0+, if nginx runs as a docker container you need to give it privileged permission to use this option
+    # add_header Alt-Svc 'h3=":443"; ma=86400'; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
+
+    proxy_buffering off;
+    proxy_request_buffering off;
+
+    client_max_body_size 0;
+    client_body_buffer_size 512k;
+    # http3_stream_buffer_size 512k; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
+    proxy_read_timeout 86400s;
+
+    server_name nextcloud.rschneider.hu;
+
+    location / {
+        proxy_pass http://${nuc}:4430${nuc}:4430$request_uri; # Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below
+
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header Early-Data $ssl_early_data;
+
+        # Websocket
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+    }
+
+    # If running nginx on a subdomain (eg. nextcloud.example.com) of a domain that already has an wildcard ssl certificate from certbot on this machine,
+    # the <your-nc-domain> in the below lines should be replaced with just the domain (eg. example.com), not the subdomain.
+    # In this case the subdomain should already be secured without additional actions
+    # ssl_certificate /etc/letsencrypt/live/<your-nc-domain>/fullchain.pem;   # managed by certbot on host machine
+    # ssl_certificate_key /etc/letsencrypt/live/<your-nc-domain>/privkey.pem; # managed by certbot on host machine
+
+    ssl_certificate /etc/nginx/ssl/live/nextcloud.rschneider.hu/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/live/nextcloud.rschneider.hu/privkey.pem;
+
+    ssl_dhparam /etc/dhparam; # curl -L https://ssl-config.mozilla.org/ffdhe2048.txt -o /etc/dhparam
+
+    ssl_early_data on;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ecdh_curve x25519:x448:secp521r1:secp384r1:secp256r1;
+
+    ssl_prefer_server_ciphers on;
+    ssl_conf_command Options PrioritizeChaCha;
+    ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256;
+}

nexus/docker-compose/docker-compose.yaml

@@ -1,13 +0,0 @@
-
-services:
-  nexus:
-    image: sonatype/nexus3
-    restart: always
-    volumes:
-      - "nexus-data:/sonatype-work"
-    ports:
-      - "4108:8081"
-      - "4109:8085"
-      - "4110:8085"
-volumes:
-  nexus-data: {}

nexus/docker-compose/nexus/docker-compose.yaml

@@ -0,0 +1,38 @@
+
+services:
+  nexus:
+    labels:
+      - traefik.http.routers.nexus.rule=Host(`nexus.rschneider.net`)
+      - traefik.http.routers.nexus.tls=true
+      - traefik.http.routers.nexus.service=nexus
+      - traefik.http.services.nexus.loadbalancer.server.port=8081
+      - traefik.http.routers.nexus-public.rule=Host(`nexus.rschneider.hu`)
+      - traefik.http.routers.nexus-public.tls=true
+      - traefik.http.routers.nexus-public.service=nexus-public
+      - traefik.http.services.nexus-public.loadbalancer.server.port=8081
+      - traefik.http.routers.nexus-docker-public.rule=Host(`docker.rschneider.hu`)
+      - traefik.http.routers.nexus-docker-public.tls=true
+      - traefik.http.routers.nexus-docker-public.service=nexus-docker-public
+      - traefik.http.services.nexus-docker-public.loadbalancer.server.port=8086
+      - traefik.http.routers.nexus-docker-internal.rule=Host(`internal-docker.rschneider.hu`)
+      - traefik.http.routers.nexus-docker-internal.tls=true
+      - traefik.http.routers.nexus-docker-internal.service=nexus-docker-internal
+      - traefik.http.services.nexus-docker-internal.loadbalancer.server.port=8086
+
+    image: sonatype/nexus3
+    restart: always
+    volumes:
+      - "nexus-data:/nexus-data"
+#    ports:
+#      - "4108:8081"
+#      - "4109:8085"
+#      - "4110:8086"
+    networks:
+      traefik_traefik:
+
+volumes:
+  nexus-data: {}
+
+networks:
+  traefik_traefik:
+    external: true

paperless/docker-compose/paperless/docker-compose.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=paperless

paperless/docker-compose/paperless/docker-compose.yaml

@@ -0,0 +1,112 @@
+# Docker Compose file for running paperless from the Docker Hub.
+# This file contains everything paperless needs to run.
+# Paperless supports amd64, arm and arm64 hardware.
+#
+# All compose files of paperless configure paperless in the following way:
+#
+# - Paperless is (re)started on system boot, if it was running before shutdown.
+# - Docker volumes for storing data are managed by Docker.
+# - Folders for importing and exporting files are created in the same directory
+#   as this file and mounted to the correct folders inside the container.
+# - Paperless listens on port 8000.
+#
+# In addition to that, this Docker Compose file adds the following optional
+# configurations:
+#
+# - Instead of SQLite (default), MariaDB is used as the database server.
+#
+# To install and update paperless with this file, do the following:
+#
+# - Copy this file as 'docker-compose.yml' and the files 'docker-compose.env'
+#   and '.env' into a folder.
+# - Run 'docker compose pull'.
+# - Run 'docker compose up -d'.
+#
+# For more extensive installation and update instructions, refer to the
+# documentation.
+
+services:
+  broker:
+    image: docker.io/library/redis:8
+    restart: unless-stopped
+    volumes:
+      - redisdata:/data
+    networks:
+        paperless:
+
+  db:
+    image: docker.io/library/mariadb:11
+    restart: unless-stopped
+    volumes:
+      - dbdata:/var/lib/mysql
+    environment:
+      MARIADB_HOST: paperless
+      MARIADB_DATABASE: paperless
+      MARIADB_USER: paperless
+      MARIADB_PASSWORD: paperless
+      MARIADB_ROOT_PASSWORD: paperless
+    networks:
+      paperless:
+
+
+  webserver:
+    labels:
+      - traefik.docker.network=traefik_traefik
+      - traefik.http.routers.paperless-internal.rule=Host(`internal-paperless.rschneider.hu`)
+      - traefik.http.routers.paperless-internal.tls=true
+      - traefik.http.routers.paperless-internal.entrypoints=web, websecure
+      - traefik.http.services.paperless-internal.loadbalancer.server.port=8000
+      - traefik.http.routers.paperless-internal.service=paperless-internal
+      - traefik.http.routers.paperless-public.rule=Host(`paperless.rschneider.hu`)
+      - traefik.http.routers.paperless-public.tls=true
+      - traefik.http.routers.paperless-public.service=paperless-public
+      - traefik.http.services.paperless-public.loadbalancer.server.port=8000
+    image: ghcr.io/paperless-ngx/paperless-ngx:latest
+    restart: unless-stopped
+    depends_on:
+      - db
+      - broker
+    ports:
+      - "8000:8000"
+    volumes:
+      - data:/usr/src/paperless/data
+      - media:/usr/src/paperless/media
+      - ./export:/usr/src/paperless/export
+      - ./consume:/usr/src/paperless/consume
+    env_file: docker-compose.env
+    environment:
+      PAPERLESS_REDIS: redis://broker:6379
+      PAPERLESS_DBENGINE: mariadb
+      PAPERLESS_DBHOST: db
+      PAPERLESS_DBUSER: paperless # only needed if non-default username
+      PAPERLESS_DBPASS: paperless # only needed if non-default password
+      PAPERLESS_DBPORT: 3306
+      PAPERLESS_URL: "https://internal-paperless.rschneider.hu"
+      PAPERLESS_CSRF_TRUSTED_ORIGINS: "https://internal-paperless.rschneider.hu,https://paperless.rschneider.hu"
+      PAPERLESS_ALLOWED_HOSTS: "https://internal-paperless.rschneider.hu,https://paperless.rschneider.hu"
+      PAPERLESS_CORS_ALLOWED_HOSTS: "https://internal-paperless.rschneider.hu,https://paperless.rschneider.hu"
+
+    networks:
+      traefik_traefik:
+      paperless:
+
+
+volumes:
+  data:
+    driver_opts:
+      type: "nfs"
+      o: "addr=192.168.2.57,nolock,soft,rw"
+      device: ":/schneider/paperless/data"
+  media:
+    driver_opts:
+      type: "nfs"
+      o: "addr=192.168.2.57,nolock,soft,rw"
+      device: ":/schneider/paperless/media"
+  dbdata:
+  redisdata:
+
+
+networks:
+  traefik_traefik:
+    external: true
+  paperless: {}

pihole/docker-compose/pihole/docker-compose.yaml

@@ -1,7 +1,14 @@
 # More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
 services:
   pihole:
-    container_name: pihole
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik_traefik
+      - traefik.http.routers.pihole.rule=Host(`internal.pihole.rschneider.hu`)
+      - traefik.http.routers.pihole.tls=true
+      - traefik.http.routers.pihole.entrypoints=web, websecure
+      - traefik.http.services.pihole.loadbalancer.server.port=80
+      - traefik.http.routers.pihole.service=pihole
     image: pihole/pihole:latest
     # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
     ports:
@@ -10,13 +17,25 @@ services:
 #      - "67:67/udp" # Only required if you are using Pi-hole as your DHCP server
       - "4114:80/tcp"
     environment:
-      TZ: 'America/Chicago'
-      # WEBPASSWORD: 'set a secure password here or it will be random'
+      TZ: 'Europe/Budapest'
+      WEBPASSWORD: ${PI_HOLE_PASSWORD}
     # Volumes store your data between container upgrades
     volumes:
-      - './etc-pihole:/etc/pihole'
-      - './etc-dnsmasq.d:/etc/dnsmasq.d'
+      - 'pihole:/etc/pihole'
+      - 'dnsmasq:/etc/dnsmasq.d'
+      - './services/pihole/resolv.conf:/etc/resolv.conf'
     #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
     cap_add:
       - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
     restart: unless-stopped
+
+    networks:
+      traefik_traefik:
+
+networks:
+  traefik_traefik:
+    external: true
+
+volumes:
+  pihole: {}
+  dnsmasq: {}

pihole/docker-compose/pihole/services/pihole/resolv.conf

@@ -0,0 +1,3 @@
+nameserver 127.0.0.1
+nameserver 192.168.2.1
+search .

prometheus/README.md

@@ -0,0 +1,10 @@
+
+# prometheus
+
+## install prometheus
+
+https://www.youtube.com/watch?app=desktop&v=yrscZ-kGc_Y&ab_channel=Techdox
+
+## install node_exporter 
+
+wget https://github.com/prometheus/node_exporter/releases/download/v1.8.2/node_exporter-1.8.2.linux-amd64.tar.gz

prometheus/docker-compose/prometheus/docker-compose.yaml

@@ -0,0 +1,13 @@
+services:
+  prometheus:
+    image: prom/prometheus
+    command:
+      - '--config.file=/etc/prometheus/prometheus.yml'
+    ports:
+      - 4117:9090
+    restart: unless-stopped
+    volumes:
+      - ./prometheus-config:/etc/prometheus
+      - prom_data:/prometheus
+volumes:
+  prom_data:

prometheus/docker-compose/prometheus/prometheus-config/prometheus.yml

@@ -0,0 +1,27 @@
+global:
+  scrape_interval: 15s
+  scrape_timeout: 10s
+  evaluation_interval: 15s
+alerting:
+  alertmanagers:
+    - static_configs:
+        - targets: []
+      scheme: http
+      timeout: 10s
+      api_version: v1
+scrape_configs:
+  - job_name: prometheus
+    honor_timestamps: true
+    scrape_interval: 15s
+    scrape_timeout: 10s
+    metrics_path: /metrics
+    scheme: http
+    static_configs:
+      - targets:
+          - localhost:9090
+  - job_name: infra # Change to whatever you like
+    static_configs:
+      - targets: ['192.168.2.66:9100'] #Change this to your server's IP
+  - job_name: proxmox # Change to whatever you like
+    static_configs:
+      - targets: [ '192.168.2.60:9100' ] #Change this to your server's IP

prometheus/jenkins/Jenkinsfile

@@ -0,0 +1,26 @@
+pipeline {
+    agent any
+
+    stages {
+        stage('Git pull && docker compose restart') {
+            steps {
+                sshPublisher(publishers: [sshPublisherDesc(configName: 'infra.1', transfers: [sshTransfer(cleanRemote: false, excludes: '', execCommand: '''cd /home/rschneider/infra
+                git pull
+                cd /home/rschneider/infra/prometheus/docker-compose/prometheus
+                docker compose down
+                docker compose up -d
+                ''', execTimeout: 120000,
+                flatten: false,
+                makeEmptyDirs: false,
+                noDefaultExcludes: false,
+                patternSeparator: '[, ]+',
+                remoteDirectory: '',
+                remoteDirectorySDF: false,
+                removePrefix: '', sourceFiles: '')],
+                usePromotionTimestamp: false,
+                useWorkspaceInPromotion: false,
+                verbose: true)])
+            }
+        }
+    }
+}

prometheus/node-exporter.md

@@ -0,0 +1,105 @@
+# Setting Up Node Exporter
+
+## Download Node Exporter
+
+Begin by downloading Node Exporter using the wget command:
+
+```bash
+wget https://github.com/prometheus/node_exporter/releases/download/v1.7.0/node_exporter-1.7.0.linux-amd64.tar.gz
+```
+
+Note: Ensure you are using the latest version of Node Exporter and the correct architecture build for your server. The provided link is for amd64. For the latest releases, check here - Prometheus Node Exporter Releases
+
+## Extract the Contents¶
+
+After downloading, extract the contents with the following command:
+
+```bash
+tar xvf node_exporter-1.7.0.linux-amd64.tar.gz
+```
+
+## Move the Node Exporter Binary¶
+
+Change to the directory and move the node_exporter binary to /usr/local/bin:
+
+```bash
+cd node_exporter-1.7.0.linux-amd64
+```
+
+```bash
+sudo cp node_exporter /usr/local/bin
+```
+
+Then, clean up by removing the downloaded tar file and its directory:
+
+```bash
+rm -rf ./node_exporter-1.7.0.linux-amd64
+```
+
+## Create a Node Exporter User¶
+
+Create a dedicated user for running Node Exporter:
+```bash
+sudo useradd --no-create-home --shell /bin/false node_exporter
+```
+
+Assign ownership permissions of the node_exporter binary to this user:
+```bash
+sudo chown node_exporter:node_exporter /usr/local/bin/node_exporter
+```
+
+## Configure the Service¶
+
+To ensure Node Exporter automatically starts on server reboot, configure the systemd service:
+
+```bash
+sudo nano /etc/systemd/system/node_exporter.service
+```
+
+Then, paste the following configuration:
+
+```properties
+[Unit]
+Description=Node Exporter
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+User=node_exporter
+Group=node_exporter
+Type=simple
+ExecStart=/usr/local/bin/node_exporter
+Restart=always
+RestartSec=3
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Save and exit the editor.
+
+## Enable and Start the Service¶
+
+Reload the systemd daemon:
+
+```bash
+sudo systemctl daemon-reload
+```
+
+Enable the Node Exporter service:
+```bash
+sudo systemctl enable node_exporter
+```
+
+
+Start the service:
+
+```bash
+sudo systemctl start node_exporter
+```
+
+To confirm the service is running properly, check its status:
+
+```bash
+sudo systemctl status node_exporter.service
+```

prometheus/scripts/install.node-exporter.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+cd /tmp
+# download archived binary
+wget https://github.com/prometheus/node_exporter/releases/download/v1.8.2/node_exporter-1.8.2.linux-amd64.tar.gz
+# extract tar
+tar -xvf node_exporter-1.8.2.linux-amd64.tar.gz
+# cd to extracted dir
+cd node_exporter-1.8.2.linux-amd64
+# everybody can execute it
+sudo chmod a+x node_exporter
+# copy node_exporter
+sudo cp node_exporter /usr/local/bin
+#create a new service
+sudo vim /etc/systemd/system/node_exporter.service
+
+cat << EOF > /etc/systemd/system/node_exporter.service
+[Unit]
+Description=Node Exporter
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+User=mmkb
+Group=mmkb
+Type=simple
+ExecStart=/usr/local/bin/node_exporter
+Restart=always
+RestartSec=3
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# enable and start service
+sudo systemctl enable node_exporter
+sudo systemctl start node_exporter
+sudo systemctl status node_exporter.service

readme.md

@@ -4,22 +4,27 @@
 
 router redirects port range 4100-4200 to the infra server
 
-| port | service     | description     |
-|------|-------------|-----------------|
-| 4100 | gitea       | web             |
-| 4101 | gitea       | ssh             |
-| 4102 | xwiki       | web             |
-| 4103 | keycloak    | web             |
-| 4104 | ldap        | web /phpldap    |
-| 4105 | ldap        | ldap/slapd      |
-| 4106 | ldap        | ldap/slapd/ssl  |
-| 4107 | keycloak    | keycloak web    |
-| 4108 | nexus       | admin web       |
-| 4109 | nexus       | admin web       |
-| 4110 | nexus       | docker registry |
-| 4111 | vaultwarden | web             |
-| 4112 | jenkins     | jenkins         |
-| 80   | traefik     | traefic proxy   |
-| 4113 | traefik     | traefik webui   |
-| 53   | pihole      | pihole dns      |
-| 4114 | pihole      | pihole web      |
+| port | service    | description     | url                                |
+|------|------------|-----------------|------------------------------------|
+| 4100 | gitea      | web             |                                    |
+| 4101 | gitea      | ssh             |                                    |
+| 4102 | xwiki      | web             |                                    |
+| 4103 | keycloak   | web             |                                    |
+| 4104 | ldap       | web /phpldap    |                                    |
+| 4105 | ldap       | ldap/slapd      |                                    |
+| 4106 | ldap       | ldap/slapd/ssl  |                                    |
+| 4107 | keycloak   | keycloak web    |                                    |
+| 4108 | nexus      | admin web       |                                    |
+| 4109 | nexus      | admin web       |                                    |
+| 4110 | nexus      | docker registry |                                    |
+| 4111 | vaultwarden | web             | https://vaultwarden.rschneider.net |
+| 4112 | jenkins    | jenkins         |                                    |
+| 80   | traefik    | traefic proxy   |                                    |
+| 4113 | traefik    | traefik webui   | https://traefik.rschneider.net     |
+| 53   | pihole     | pihole dns      |                                    |
+| 4114 | pihole     | pihole web      | https://pihole.rschneider.net      |
+| 4115 | nextcloud  | nextcloud web   | https://nextcloud.rschneider.net   |
+| 4116 | grafana    | grafana web     | https://grafana.rschneider.net     |
+| 4117 | prometheus | prometheus web  | https://prometheus.rschneider.net  |
+| 4118 | loki       | loki web        | https://loki.rschneider.net        |
+| 4119 | immich     | immich          | https://immich.rschneider.net      |

servarr/docker-compose/servarr/docker-compose.yaml

@@ -0,0 +1,154 @@
+services:
+
+  sonarr:
+    image: lscr.io/linuxserver/sonarr:latest
+    labels:
+      - "traefik.enable=true"
+      - traefik.docker.network=traefik_traefik
+      - traefik.http.routers.sonarr-private.rule=Host(`sonarr.local`)
+      - traefik.http.routers.sonarr-private.entrypoints=web
+      - traefik.http.routers.sonarr-private.service=sonarr-private
+      - traefik.http.services.sonarr-private.loadbalancer.server.port=8989
+    container_name: sonarr
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Etc/UTC
+    volumes:
+      - sonarr_config:/config
+      - servarr_data:/data
+    ports:
+      - 8401:8989
+    restart: unless-stopped
+    networks:
+      - servarr
+      - traefik_traefik
+
+  radarr:
+    image: lscr.io/linuxserver/radarr:latest
+    labels:
+      - "traefik.enable=true"
+      - traefik.docker.network=traefik_traefik
+      - traefik.http.routers.radarr-private.rule=Host(`radarr.local`)
+      - traefik.http.routers.radarr-private.entrypoints=web
+      - traefik.http.routers.radarr-private.service=radarr-private
+      - traefik.http.services.radarr-private.loadbalancer.server.port=7878
+    container_name: radarr
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Etc/UTC
+    volumes:
+      - radarr_config:/config
+      - servarr_data:/data
+    ports:
+      - 8403:7878
+    restart: unless-stopped
+    networks:
+      - servarr
+      - traefik_traefik
+
+  prowlarr:
+    image: lscr.io/linuxserver/prowlarr:latest
+    labels:
+      - "traefik.enable=true"
+      - traefik.docker.network=traefik_traefik
+      - traefik.http.routers.prowlarr-private.rule=Host(`prowlarr.local`)
+      - traefik.http.routers.prowlarr-private.entrypoints=web
+      - traefik.http.routers.prowlarr-private.service=prowlarr-private
+      - traefik.http.services.prowlarr-private.loadbalancer.server.port=9696
+    container_name: prowlarr
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Etc/UTC
+    volumes:
+      - prowlarr_config:/config
+    ports:
+      - 8402:9696
+    restart: unless-stopped
+    networks:
+      - servarr
+      - traefik_traefik
+
+
+  qbittorrent:
+    image: lscr.io/linuxserver/qbittorrent:latest
+    labels:
+      - "traefik.enable=true"
+      - traefik.docker.network=traefik_traefik
+      - traefik.http.routers.qbittorrent-private.rule=Host(`torrent.local`)
+      - traefik.http.routers.qbittorrent-private.entrypoints=web
+      - traefik.http.routers.qbittorrent-private.service=qbittorrent-private
+      - traefik.http.services.qbittorrent-private.loadbalancer.server.port=8405
+
+    container_name: qbittorrent
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Etc/UTC
+      - WEBUI_PORT=8405
+      - TORRENTING_PORT=8406
+    volumes:
+      - qbittorrent_config:/config
+      - servarr_downloads:/data/downloads #optional
+    ports:
+      - 8405:8405
+      - 8406:8406
+      - 8406:8406/udp
+    restart: unless-stopped
+
+    networks:
+      - servarr
+      - traefik_traefik
+
+  jellyfin:
+    image: jellyfin/jellyfin
+    labels:
+      - "traefik.enable=true"
+      - traefik.docker.network=traefik_traefik
+      - traefik.http.routers.jellyfin-private.rule=Host(`jellyfin.local`)
+      - traefik.http.routers.jellyfin-private.entrypoints=web
+      - traefik.http.routers.jellyfin-private.service=jellyfin-private
+      - traefik.http.services.jellyfin-private.loadbalancer.server.port=8096
+
+    container_name: jellyfin
+    user: 1000:1000
+    ports:
+      - 8096:8096/tcp
+      - 7359:7359/udp
+    volumes:
+      - jellyfin_config:/config
+      - jellyfin_cache:/cache
+      - servarr_data:/data
+    restart: 'unless-stopped'
+    # Optional - alternative address used for autodiscovery
+      # environment:
+    #   - JELLYFIN_PublishedServerUrl=http://example.com
+    # Optional - may be necessary for docker healthcheck to pass if running in host network mode
+    extra_hosts:
+      - 'host.docker.internal:host-gateway'
+
+volumes:
+  prowlarr_config: {}
+  qbittorrent_config: {}
+  sonarr_config: {}
+  jellyfin_config: {}
+  jellyfin_cache: {}
+  radarr_config: {}
+  servarr_data:
+    driver_opts:
+      type: "nfs"
+      o: "addr=192.168.2.57,nolock,soft,rw"
+      device: ":/schneider/servarr/data"
+  servarr_downloads:
+    driver: local
+    driver_opts:
+      type: "nfs"
+      o: "addr=192.168.2.57,nolock,soft,rw"
+      device: ":/schneider/servarr/data/downloads"
+
+networks:
+  servarr: {}
+  traefik_traefik:
+    external: true

traefik/docker-compose/traefik/docker-compose.yaml

@@ -1,14 +1,42 @@
 services:
   reverse-proxy:
+    labels:
+      - traefik.docker.network=traefik_traefik
+      - traefik.http.routers.reverse-proxy.rule=Host(`traefik.rschneider.net`)
+      - traefik.http.routers.reverse-proxy.tls=true
+      - traefik.http.routers.reverse-proxy.service=reverse-proxy
+      - traefik.http.services.reverse-proxy.loadbalancer.server.port=8080
+      - traefik.http.routers.reverse-proxy-internal.rule=Host(`internal.traefik.rschneider.hu`)
+      - traefik.http.routers.reverse-proxy-internal.tls=true
+      - traefik.http.routers.reverse-proxy-internal.service=reverse-proxy-internal
+      - traefik.http.services.reverse-proxy-internal.loadbalancer.server.port=8080
     # The official v3 Traefik docker image
-    image: traefik:v3.1
+    image: traefik:v3.6
+    restart: always
     # Enables the web UI and tells Traefik to listen to docker
-    command: --api.insecure=true --providers.docker
+    command:
+#      - --api.insecure=true
+#      - --providers.docker
+#      - --entryPoints.web.address=:80
+#      - --entryPoints.websecure.address=:443
+#      - --accesslog=true
+#      - --log.level=DEBUG
+      - --configFile=/traefik/config.yaml
     ports:
       # The HTTP port
       - "80:80"
+      - "4180:80"
       # The Web UI (enabled by --api.insecure=true)
-      - "8080:8080"
+      - "4113:8080"
+      - "443:443"
     volumes:
       # So that Traefik can listen to the Docker events
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./services/traefik/config.yaml:/traefik/config.yaml
+      - ./services/traefik/ssl:/traefik/ssl
+      - ./services/traefik/dynamic/file:/traefik/dynamic/file
+    networks:
+      - traefik
+networks:
+  traefik:
+    driver: bridge

traefik/docker-compose/traefik/services/traefik/config.yaml

@@ -0,0 +1,36 @@
+# enable admin gui
+api:
+  insecure: true
+
+# enable access logs
+accessLog: {}
+
+# set log level
+log:
+  level: debug
+
+
+# set default certificate
+tls:
+  stores:
+    default:
+#    certificate not set so will be autogenerated
+      defaultCertificate:
+        certFile: /traefik/domain.crt
+        keyFile: /traefik/domain.key
+
+# enable docker compose auto discovery
+providers:
+  docker: { }
+  file:
+    directory: /traefik/dynamic/file/
+    filename: dynamic-config.yaml
+    watch: true
+
+## Static configuration
+entryPoints:
+  web:
+    address: ":80"
+
+  websecure:
+    address: ":443"

traefik/docker-compose/traefik/services/traefik/dynamic/file/dynamic-config.yaml

@@ -0,0 +1,8 @@
+# set default certificate
+tls:
+  stores:
+    default:
+      #    certificate not set so will be autogenerated
+      defaultCertificate:
+        certFile: /traefik/ssl/domain.crt
+        keyFile: /traefik/ssl/domain.key

traefik/docker-compose/traefik/services/traefik/ssl/domain.crt

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFxzCCA6+gAwIBAgIUM/L7Z0FIAgw69BXPm2Oeul574hYwDQYJKoZIhvcNAQEL
+BQAwczELMAkGA1UEBhMCSFUxDTALBgNVBAgMBEdZTVMxHjAcBgNVBAcMFU1vc29u
+bWFneWFyw4PCs3bDg8KhcjETMBEGA1UECgwKcnNjaG5laWRlcjEgMB4GCSqGSIb3
+DQEJARYRcm9jaG8wMkBnbWFpbC5jb20wHhcNMjUwNDExMjAyMTUwWhcNMzUwNDA5
+MjAyMTUwWjBzMQswCQYDVQQGEwJIVTENMAsGA1UECAwER1lNUzEeMBwGA1UEBwwV
+TW9zb25tYWd5YXLDg8KzdsODwqFyMRMwEQYDVQQKDApyc2NobmVpZGVyMSAwHgYJ
+KoZIhvcNAQkBFhFyb2NobzAyQGdtYWlsLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQAD
+ggIPADCCAgoCggIBAL+RIYT6gQmj9WYFDewoIa5aHaghnz++Zze/kgrjf7B8coE1
+unRvt30YIKBryzNFseZ/v/NR1R/Fbx9dmgY/7IPkpX/rH9GtFEh0Nqc55ru1LX2e
+SeTjTIrVdZzNuBKsHo/Vx4Fwsp6+QI7XkZmklmDWlHY2JbioF/voCvgL51KAJMYB
+GUFc2Tq1Ymz2JeaubSvnQJ6R4bnAWPK7gn7Iuj8P0x+vI4L7DTnPFOhOfAM6Ufua
+be53oj2ot/10jWUeWGWAdTz5MKGDMeKkmL5zXApsQH29bpMtMdVR5Z/PmKLuf53S
+4hmLU6GXzFQHSQ8HFQHfja6/UhNH4RT7QLFhaKfUrr8lKp4QCWWv+P/GLFNGFDv3
+8Low4H7SdxIewsNby/kovofphEdnfoUQ8t6Vb3Zj8CY66bv2p5upDTZXgABzMSf4
+/LlxYjQ+65hsn+LMbWfxjMvsCENdAmNGSpBZGgI4bhKuP+0lJ1Ry7ii6ruC0GAB+
+7M8vNTiHHpfSi+dtyDwsRaBxXaWCdNLyT1uEEUZtrdcSoq98n486Fp2yV/x6oXTX
+LWoUnjMH4QHVcv7F/fEQFKv8F8FiuZFUQIYUHmBSzO02JcJw3TAjgiNZiZ3u5Bit
+fPDfgNrq29Qff/jnsttxZpHPdrXtv66YRp4M5AFPZC6EWzp9ZQEKPu3sueyVAgMB
+AAGjUzBRMB0GA1UdDgQWBBQvkg7ng3rO/jyEIeYRpIpMP/s9ujAfBgNVHSMEGDAW
+gBQvkg7ng3rO/jyEIeYRpIpMP/s9ujAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4ICAQASQrBtxNtRzJZTVRJWa9YimG2MmgFaQWyTUtZhn9VibGMoqxO/
+SHF+ARz/4oBE2t0V4DDR8DbJzuoQXzA+TkKyMTf0iIt9OPOXg2tTN7jqsdIC17pB
+xuqykUXVfoFSvZlah/yfn1FFf0d80p3rr7EGHoAhWAykHXVBk96IL+MuxP+fG68T
+kUKF66oOGx3eDo/dw0+qaE1By4PNtX+CUvq5VwEI8DZjLpxurOee9wWw2dx/z5kQ
+aYge7z+96iDZSsw3dsBWnxwtABcRrtp2Bjsm8pKJtTtJs+ekAMc76WCTLfWArU1q
+yVvDc3xLs1xL5HD9YZ5COT0NgQ2BlCsbfIZpZ39WHA97+08E/WOsITfzejmN0ABx
+KWT9bwkhCBSRZVUuyltgLcbrzlXcDPB7aE/knMoj0XzWLi4FgAwtjumrNi9wW4w0
+mx6w3w6JLng5JTJt0jnBw7MyV3QgDVmCCud0PP8DOqKk45YaIM12veemIga4WmwX
+W67wFbGYw37V7smGTr582Ju9Lhn96vkFk2ZMOXuvji83cYUsdkfZJZ2RnxT2Yd2j
+LLI9UZHuBxtkzFNsUODtUSXZnfkCkEi7Jzyu6rV3HdIqpiy61xt2fhqD+iUwIz8b
+D5kpMOgDCk2XSfRBwo7d7+HH8lFGu65sRmup74mzetYxMcagcQuvhO4EEg==
+-----END CERTIFICATE-----

traefik/docker-compose/traefik/services/traefik/ssl/domain.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC/kSGE+oEJo/Vm
+BQ3sKCGuWh2oIZ8/vmc3v5IK43+wfHKBNbp0b7d9GCCga8szRbHmf7/zUdUfxW8f
+XZoGP+yD5KV/6x/RrRRIdDanOea7tS19nknk40yK1XWczbgSrB6P1ceBcLKevkCO
+15GZpJZg1pR2NiW4qBf76Ar4C+dSgCTGARlBXNk6tWJs9iXmrm0r50CekeG5wFjy
+u4J+yLo/D9MfryOC+w05zxToTnwDOlH7mm3ud6I9qLf9dI1lHlhlgHU8+TChgzHi
+pJi+c1wKbEB9vW6TLTHVUeWfz5ii7n+d0uIZi1Ohl8xUB0kPBxUB342uv1ITR+EU
++0CxYWin1K6/JSqeEAllr/j/xixTRhQ79/C6MOB+0ncSHsLDW8v5KL6H6YRHZ36F
+EPLelW92Y/AmOum79qebqQ02V4AAczEn+Py5cWI0PuuYbJ/izG1n8YzL7AhDXQJj
+RkqQWRoCOG4Srj/tJSdUcu4ouq7gtBgAfuzPLzU4hx6X0ovnbcg8LEWgcV2lgnTS
+8k9bhBFGba3XEqKvfJ+POhadslf8eqF01y1qFJ4zB+EB1XL+xf3xEBSr/BfBYrmR
+VECGFB5gUsztNiXCcN0wI4IjWYmd7uQYrXzw34Da6tvUH3/457LbcWaRz3a17b+u
+mEaeDOQBT2QuhFs6fWUBCj7t7LnslQIDAQABAoICAAbgvhRZLiLbeScVjV9qPXNW
+FvR/aIlQW8JbpXGwo1gBz9alyDEABdV+9UTtOdl4ah+9fHXO/VjrrMayhKIuz14Y
+6nxCQ90yWqUTTxcH9CnPInf9I+gM5SWi7lsX48D/3wUJBuW11yPt7sFyKe8bQq7t
+ZV0tKoOLvXi05xfqzX5fzXIyfeaj38TE2GjTGZ9DqfXGksJeuH0D0+27H79Pk6hJ
++CmODzdXriziK3z/vGIdSO5AqCvErdWK5jg6ZA06XrAeQZdT1xQlcrgRcs57s9VH
+97TMBVlRaRWgoB7xxCgtafWPqcCDCRinK5XkwRHCDlYH4b1hbx/0F7e6IaN8vNYh
+0qusZHIJjhOE0AzBroGQgDbLXV24nJ8QbYgwWoxGwzYDR7v1n8rUWHBTTSW1nwM+
+Rb3fxI0YWnrBL8Wwktlmsi6tLChAOKL/VzOUyn39CHO4unFOEFaUjFkwGwXLC76v
+LPkY9b1CmGiYbiL4EhsmUHho+fNlEPfOpD1Rkbd8BhF9KPt7R5rHf1MiD+cCI/9J
+E3Y9Vwd1brkAIdy+Imt1S8bn14R/ZtuuYd/WkZEIUcrot0+MI3hTeIzc7+onJlLt
+uwvWVT/d4zMhKVXr8gvcJ3RcszDas71Ba+ChMCzOv+vJm/vcNDBtMLDZ8kuhNltF
+hq1uhGi8ALg+/jtLTHFtAoIBAQDto1/ts7v/cNI+epXCa2GtalcWzpgbOI93QTgJ
+MigJpdOzyphZV0L2Brv79iyl5mY6MeI8vUwCqEYcgxljfTRk+Zqwz36zRgaNYbfD
+0iMu6n0FRrQ7YkWaWwkFfRhUoWz5gNxg9TdJ9pRBnS9AB+sCXb23vj68hGCMYkE6
+HT4B7Tv9niXfW0MU+B4GLEDpUtyYe645yQCkDnO6hsCfUnieLqh9bxCuPvFI/ul0
+Oqh/9GDT2FHUYp8f6NebvBdl2dIZxDRI9BmNf46IAksIUKVjnLQX3ZUwWoWP/KnQ
+0T79MyiydQ3wSgz4/uaun3Cflqk2IYoDf4vGP6spuo1nQUD/AoIBAQDOXnBmV9Q/
+XdFAlPtlpIVXoIFgMOuUXhjNfc7/1YQBJpsfP4YZgUkwKQ1Tfn0xtuGs9FJoUD8d
+D2ymfBd5xd+UaMvpGx+AiwTloX6+Hre5iH42/+ooXT6dq5/VgW4336S0I3jkpYg7
+1qVWVidCnQkDsXpvBE9+gp5b/tFW7rXaOX1iEGX6qbVR8zooMHpzP/HSSTCzuKFp
+5ndWxyVswvm4MX947B2t0C3rGm2g7mXz6hicmzHZ6mTZ8r4g4MqbgLZBFnpTq+0W
+0dMt/6w5SmZMd/gYxZgv5rENuFGvUNWq4cZhZxLrdpLUNbvEUdFUR74pzZTQu49W
+RFDLd53TSj5rAoIBAFEDL0LT0TVl+ua916wt+2CpLgNibsxo3c/j9fx8ktWnKKLU
+YFekvfktloxxAguUnikctGnMhsspHq29q7wVBPWfejLoqeLn7nfoZkNlsgTef7x6
+vBq6h8v1WP/8A31mgsYUPgz3y991JlmwAlmr2Vw3JOQtASo3Xsq8/EuZiHgTri3p
+6jNY42eUpneoQoDIdNeu4lhkw8kp/B4MrkIiVWhns5z/bgpY/tzJukCbdrIYV6Ig
+ztS+wkyYjlhTKQ7Z0RxjnQd53/QzFh4b2gR9qcRpuaOhMKkJUxshIatEilq7RBaC
+fTv7oqyICZBiXnypWgpQKMLEipwNPIa/SFF5F3UCggEBAKR/gvkRaY5ZKkNgfkQ3
+MFL5Dieu1xodJ4glkKs9d0uzilMOP8Z01/IbxxOW8BSAwsMqvcWIscZoVSMgJ1ZZ
+9C5ImsHlbOb56Z1hbbX+plSuCG2u8Ofb692iwHVgBotjKdatr+ASUtXf80suwXzH
+0DexcPataPBfDfwm0peJEEwzJ07T43Y7cN0yFFmUywazIf+Nd9TKh1/y5Y22kI5x
+nLzGN+Yb0EyMdQ3Cs0Bkx7/2CkhLLSGXRWy1ofhzNw1dO+oGENxBX2uhNcSk2JOS
+SpkJyCl22CjWqqtVEUe+F5NvBML/doVarw+ZBWMoFMQpq9uGk+kOmOMa8Yw+fP+/
+XqECggEAP89j6zuXa8qFUswr9GveVqul14QTeTxots0NhQW1FWTT0eKiPQS9s8ur
+sqIbZWReoHbREaoZFFRyV7XiVDuyRzvmSXcn6gnIcNTovE5LoJyaUcgpzBi2qMde
+o27OKWv7eOHIaB27ynFl2xqnFZa7NgYT1OQMS7lAhwu4W2CyxNHHDMx6I///rNUy
+Fr2YD+hfU9IlsH2YIVWfWc88i584tVsTMJng4qAjRG7WTQYe77eoz30o2Bia2Iba
+7M3zq7097SnuIe/RZnvV3SnwG/cYE1LYLKDGypEmk2+Iczwzmmq1P3BDKAKM07JZ
+8d7KQOQz+3JY3pnPRm7VXg34IGSI/Q==
+-----END PRIVATE KEY-----

vaultwarden/docker-compose/vaultwarden/docker-compose.yaml

@@ -1,5 +1,16 @@
 services:
   vaultwarden:
+    labels:
+      - traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.rschneider.net`)
+      - traefik.http.routers.vaultwarden.tls=true
+      - traefik.http.routers.vaultwarden.service=vaultwarden
+      - traefik.http.services.vaultwarden.loadbalancer.server.port=80
+      - traefik.http.routers.vaultwarden-public.rule=Host(`password.rschneider.hu`)
+      - traefik.http.routers.vaultwarden-public.tls=true
+      - traefik.http.routers.vaultwarden-public.service=vaultwarden-public
+      - traefik.http.services.vaultwarden-public.loadbalancer.server.port=80
+#      - traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https
+#      - traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true
     image: vaultwarden/server:latest
     container_name: vaultwarden
     restart: always
@@ -10,3 +21,9 @@ services:
       - ./vw-data:/data # the path before the : can be changed
     ports:
       - 4111:80 # you can replace the 11001 with your preferred port
+    networks:
+      traefik_traefik:
+
+networks:
+  traefik_traefik:
+    external: true

watchtower/docker-compose/watchtower/docker-compose.yaml

@@ -0,0 +1,8 @@
+services:
+  watchtower:
+    image: containrrr/watchtower
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - WATCHTOWER_CLEANUP=true
+      - WATCHTOWER_POLL_INTERVAL=86400 # Checks once every 24 hours

xwiki/docker-compose/xwiki/docker-compose.yaml

@@ -1,10 +1,23 @@
 version: '2'
-networks:
-  bridge:
-    driver: bridge
+
 services:
   web:
+    labels:
+      - traefik.docker.network=traefik_traefik
+      ## xwiki router
+      - traefik.http.routers.xwiki.rule=Host(`xwiki.rschneider.net`)
+      - traefik.http.routers.xwiki.tls=true
+      - traefik.http.routers.xwiki.entrypoints=web, websecure
+      - traefik.http.routers.xwiki.service=xwiki
+      - traefik.http.services.xwiki.loadbalancer.server.port=8080
+      ## xwiki-public router
+      - traefik.http.routers.xwiki-public.rule=Host(`wiki.rschneider.hu`)
+      - traefik.http.routers.xwiki-public.tls=true
+      - traefik.http.routers.xwiki-public.entrypoints=web, websecure
+      - traefik.http.routers.xwiki-public.service=xwiki-public
+      - traefik.http.services.xwiki-public.loadbalancer.server.port=8080
     image: "xwiki:stable-mariadb-tomcat"
+    restart: always
     container_name: xwiki-mariadb-tomcat-web
     depends_on:
       - db
@@ -17,10 +30,11 @@ services:
     volumes:
       - xwiki-data:/usr/local/xwiki
     networks:
-      - bridge
+      traefik_traefik:
   db:
     image: "mariadb:11.4"
     container_name: xwiki-mariadb-db
+    restart: always
     volumes:
       - mariadb-data:/var/lib/mysql
       - ./init.sql:/docker-entrypoint-initdb.d/init.sql
@@ -34,7 +48,11 @@ services:
       - "--collation-server=utf8mb4_bin"
       - "--explicit-defaults-for-timestamp=1"
     networks:
-      - bridge
+      traefik_traefik:
 volumes:
   mariadb-data: {}
   xwiki-data: {}
+
+networks:
+  traefik_traefik:
+    external: true