.gitignore

@@ -1,15 +1,5 @@
-# These will be a local sym-link
-*.local
-*.local.yml
-# local env should not be committed
-app.env
-# local data should always be in a subdir named local, and never committed
-**/local
-# traefik/tls and /sahred shouldn't exist, but in case they are copied over - don't commit them
-_traefik/tls
-_traefik/shared
-# make it eash to disable stuff without committing
-tmp.*
-*.tmp
-*.off
-
+.env.local
+_traefik.dynamic/tls
+_traefik.dynamic/shared/acme.json
+**/app.env
+ddns-updater/config.json

_bin/checkver.sh

@@ -1,49 +0,0 @@
-#! /usr/bin/env bash
-SCRIPT_DIR=${SCRIPT_DIR:-"$( cd -- "$( dirname -- "$0" )" &> /dev/null && pwd )"}
- 
-# Function to compare semantic versions
-compare_major_version() {
-    local major_version1=$(echo $1 | cut -d. -f1)
-    local major_version2=$(echo $2 | cut -d. -f1)
- 
-    if [[ "$major_version1" == "$major_version2" ]]; then
-        return 0
-    else
-        return 1
-    fi
-}
- 
-# Get Current Version of Runtipi
-runtipi_path=${RUNTIPI_DIR:-"$(cd -- "${SCRIPT_DIR}/../.." &> /dev/null && pwd )"}
-[ -r "$runtipi_path/VERSION" ] || runtipi_path=${RUNTIPI_DIR:-"$(cd -- "${SCRIPT_DIR}/../../_" &> /dev/null && pwd )"}
-current_version=$(cat "$runtipi_path/VERSION")
- 
-# Get the latest release information from GitHub API
-latest_release=$(curl -sL \
-  -H "Accept: application/vnd.github+json" \
-  -H "X-GitHub-Api-Version: 2022-11-28" \
-  https://api.github.com/repos/runtipi/runtipi/releases/latest)
- 
-# Extract the tag name from the release information
-tag_name=$(echo "$latest_release" | grep -o '"tag_name": "[^"]*' | cut -d'"' -f4)
- 
-printf 'current: %-10s online: %-10s\n' "$current_version" "$tag_name" >&2
-# Compare major version numbers
-compare_major_version "$tag_name" "$current_version"
-# major_version_match=$?
-#  
-# # Check if major versions are the same and if the latest release is newer than the current version
-# if [[ $major_version_match -eq 0 ]] && [[ "$tag_name" > "$current_version" ]]; then
-#     echo "A new release is available: $tag_name"
-#     cd $runtipi_path
-#     echo "Backing up current version"
-#     if [ ! -d "$runtipi_path/backups" ]; then
-#         mkdir -p $runtipi_path/backups
-#     fi
-#     tar -czvf runtipi-backup-$current_version.tar.gz --exclude=media --exclude=backups *
-#     mv runtipi-backup-$current_version.tar.gz $runtipi_path/backups
-#     echo "Starting update"
-#     echo $runtipi_path/runtipi-cli update latest
-# else
-#     echo "No new release found or major version mismatch"
-# fi

_bin/runtipictl

@@ -6,12 +6,6 @@ jlmkr () {
 
 JAIL_UID=${JAIL_UID:-${UID}}
 
-jlmkr-shell() {
-    if jlmkr exec runtipi true; then
-         jlmkr shell --uid "${JAIL_UID}" runtipi
-    fi
-}
-
 jlmkr-exec () {
     local set_x=" set -x; pwd; id; "
     [ -z "$QUIET" ] || set_x=""
@@ -89,9 +83,6 @@ case "${1}" in
         _ERROR_MSG="ERROR: failed to invoke a command inside the runtipi jail and can't start the jail." \
         runtipi-cli start --env-file user-config/.env.local --no-permissions
         ;;
-    shell)
-        jlmkr-shell
-        ;;
     exec)
         jlmkr-exec "${@:2}"
         ;;
@@ -133,12 +124,8 @@ case "${1}" in
             "" "" "" \
             "misc." "" ""\
             "" "exec"       "execute within the shell, START_DIR env applies" \
-            "" "shell"      "enter an insteractive shell" \
             "" "" "" \
-            "" "setup"      "setup runtipictl in user's .local/bin dir" \
-            "" "" "" \
-            "Related env. vars:" "" "" \
-            "" "VISUAL EDITOR JAIL_UID QUIET START_DIR ROOT_EXEC" ""
+            "" "setup"      "setup runtipictl in user's .local/bin dir"
 
         ;;
 esac

_traefik.dynamic/dynamic/dynamic.yml

@@ -1,4 +1,8 @@
 http:
+  serversTransports:
+    insecuretransport:
+      insecureSkipVerify: true
+      
   middlewares:
     secureHeaders:
       headers:
@@ -14,3 +18,14 @@ http:
         permissionsPolicy: "camera=(), microphone=(), geolocation=()"
         customResponseHeaders:
           X-Robots-Tag: "noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
+
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/traefik/tls/cert.pem
+        keyFile: /etc/traefik/tls/key.pem
+  certificates:
+    - certFile: /etc/traefik/tls/cert.pem
+      keyFile: /etc/traefik/tls/key.pem
+

_traefik.dynamic/dynamic/ha.yml

@@ -2,7 +2,7 @@
 http:
   routers:
     # Define a connection between requests and services
-    home-assistant:
+    "to-ha":
       rule: "Host(`ha.lksz.me`)" 
       entrypoints:
       - websecure

_traefik.dynamic/dynamic/kasm-workspaces.yml

@@ -0,0 +1,42 @@
+# http routing section
+http:
+  routers:
+    # Define a connection between requests and services
+    "to-kasm-main":
+      rule: "Host(`k.szk.li`)" 
+      entrypoints:
+      - websecure
+    # # If the rule matches, applies the middleware
+      middlewares:
+      - authentik_sysmgr
+    # - test-user
+      # If the rule matches, forward to the whoami service (declared below)
+      service: kasm-main
+      tls:
+        certresolver: myresolver
+
+    # Define a connection between requests and services
+    "to-kasm-setup":
+      rule: "Host(`ksetup.szk.li`)" 
+      entrypoints:
+      - websecure
+    # # If the rule matches, applies the middleware
+      middlewares:
+      - authentik_sysmgr
+    # - test-user
+      # If the rule matches, forward to the whoami service (declared below)
+      service: kasm-setup
+      tls:
+        certresolver: myresolver
+
+
+  services:
+    # Define how to reach an existing service on our infrastructure
+    kasm-main:
+      loadBalancer:      
+        servers:
+        - url: "https://kasm-workspaces:8744"
+    kasm-setup:
+      loadBalancer:      
+        servers:
+        - url: "https://kasm-workspaces:8743"

_traefik.dynamic/dynamic/kateryna_apps.yml

@@ -0,0 +1,29 @@
+# http routing section
+http:
+  routers:
+    to-kateryna:
+      rule: "Host(`kateryna.szk.li`)
+        || Host(`kateryna.lksz.me`)
+        || Host(`m.lksz.me`)
+        || Host(`auth.lksz.me`)
+        || Host(`sync.lksz.me`)
+        || Host(`radarr.lksz.me`)
+        || Host(`sonarr.lksz.me`)
+        || Host(`prowlarr.lksz.me`)
+        || Host(`req.lksz.me`)
+        || Host(`jd.lksz.me`)
+        || Host(`nzb.lksz.me`)
+        || Host(`stats.player.lksz.me`)
+        "
+      entrypoints:
+      - websecure
+      service: kateryna-traefik
+      tls:
+        certresolver: myresolver
+
+  services:
+    # Define how to reach an existing service on our infrastructure
+    kateryna-traefik:
+      loadBalancer:
+        servers:
+        - url: https://kateryna.lksz.me

_traefik.dynamic/traefik.yml

@@ -0,0 +1,42 @@
+api:
+  dashboard: true
+  insecure: true
+
+providers:
+  docker:
+    endpoint: 'unix:///var/run/docker.sock'
+    watch: true
+    exposedByDefault: false
+  file:
+    directory: /etc/traefik/dynamic
+    watch: true
+
+entryPoints:
+  web:
+    address: ':80'
+    forwardedHeaders:
+      trustedIPs:
+        - "127.0.0.1/32"
+        - "172.16.0.0/12"
+    http:
+      redirections:
+        entryPoint:
+          to: 'websecure'
+          scheme: 'https'
+  websecure:
+    address: ':443'
+    forwardedHeaders:
+      trustedIPs:
+        - "127.0.0.1/32"
+        - "172.16.0.0/12"
+
+certificatesResolvers:
+  httpresolver:
+    acme:
+#     email: acme@thisprops.com
+      storage: /shared/acme.json
+      httpChallenge:
+        entryPoint: web
+
+log:
+  level: ERROR

_traefik/dynamic/_templates/mw.fwd-auth-sysmgr.yml.shefet

@@ -1,19 +0,0 @@
-http:
-  middlewares:
-    authentik_sysmgr:
-      forwardAuth:
-        address: https://auth.shefet.net/outpost.goauthentik.io/auth/traefik
-        trustForwardHeader: true
-        authResponseHeadersRegex: "^[Xx]-[Aa]uthentik"
-        # authResponseHeaders:
-        #   - X-authentik-username
-        #   - X-authentik-groups
-        #   - X-authentik-email
-        #   - X-authentik-name
-        #   - X-authentik-uid
-        #   - X-authentik-jwt
-        #   - X-authentik-meta-jwks
-        #   - X-authentik-meta-outpost
-        #   - X-authentik-meta-provider
-        #   - X-authentik-meta-app
-        #   - X-authentik-meta-version

_traefik/dynamic/_templates/rt.ha.yml.shefet

@@ -1,23 +0,0 @@
-# http routing section
-http:
-  routers:
-    # Define a connection between requests and services
-    home-assistant:
-      rule: "Host(`ha.shefet.net`)" 
-      entrypoints:
-      - websecure
-    # # If the rule matches, applies the middleware
-    # middlewares:
-    # - test-user
-      # If the rule matches, forward to the whoami service (declared below)
-      service: home-assistant
-      tls:
-        certresolver: myresolver
-
-  services:
-    # Define how to reach an existing service on our infrastructure
-    home-assistant:
-      loadBalancer:      
-        servers:
-        - url: "http://ha.lan:8123"
-        #- address: "ha.lan:8123"

_traefik/dynamic/http.yml

@@ -1,4 +0,0 @@
-http:
-  serversTransports:
-    insecuretransport:
-      insecureSkipVerify: true

_traefik/dynamic/mw.lan-only.yml

@@ -1,8 +0,0 @@
-# Accepts request from defined IP
-http:
-  middlewares:
-    lan-only:
-      ipWhiteList:
-        sourceRange:
-          - "127.0.0.1/32"
-          - "192.168.0.0/16"

_traefik/dynamic/tls.yml

@@ -1,9 +0,0 @@
-tls:
-  stores:
-    default:
-      defaultCertificate:
-        certFile: /etc/traefik/tls/cert.pem
-        keyFile: /etc/traefik/tls/key.pem
-  certificates:
-    - certFile: /etc/traefik/tls/cert.pem
-      keyFile: /etc/traefik/tls/key.pem

_traefik/static.yml

@@ -1,48 +0,0 @@
-  # log:
-  #   level: INFO
-
-  api:
-    dashboard: true
-    insecure: true
-
-  providers:
-    docker:
-      endpoint: "unix:///var/run/docker.sock"
-      watch: true
-      exposedByDefault: false
-    file:
-      directory: /srv/traefik/dynamic
-      watch: true
-
-  entryPoints:
-    web:
-      address: ':80'
-      forwardedHeaders:
-        trustedIPs:
-          - "127.0.0.1/32"
-          - "172.16.0.0/12"
-      http:
-        redirections:
-          entryPoint:
-            to: 'websecure'
-            scheme: 'https'
-    websecure:
-      address: ':443'
-      forwardedHeaders:
-        trustedIPs:
-          - "127.0.0.1/32"
-          - "172.16.0.0/12"
-
-  certificatesResolvers:
-    myresolver:
-      acme:    
-      # email: acme@thisprops.com
-        storage: /shared/acme.json
-        # httpChallenge:
-        #   entryPoint: web
-        #logging: true
-        dnsChallenge:
-          provider: cloudflare
-          resolvers:
-          - 1.1.1.1:53 # - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers[0]=1.1.1.1:53
-          - 8.8.8.8:53 # - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers[1]=8.8.8.8:53

szetup.sh

@@ -1,35 +0,0 @@
-#! /usr/bin/env bash
-set -e
-SCRIPT_DIR=${SCRIPT_DIR:-"$( cd -- "$( dirname -- "$0" )" &> /dev/null && pwd )"}
-
-SYS_NAME=${1:-${SYS_NAME:?Must supply sysname as 1st argument}}
-TOP_DIR="$SCRIPT_DIR/_traefik/dynamic"
-
-# Store the find results in an array
-mapfile -d '' -t DELETE < <(find "$TOP_DIR" -maxdepth 1 -mindepth 1 -type l -lname '*_templates/*' -print0)
-
-# If links were found, process and delete them
-if [ ${#DELETE[@]} -gt 0 ]; then
-    for link in "${DELETE[@]}"; do
-        # Get the target of the symbolic link
-	target=$(basename $(readlink -f "$link"))
-        
-        # Delete the link
-        rm "$link"
-        
-        # Report the deleted link and its target
-	printf '"%s" (%s) deleted.\n' "$link" "${target##*.}"
-    done
-else
-    echo "No matching symbolic links found to delete."
-fi
-
-
-find "$TOP_DIR/_templates" -maxdepth 1 -mindepth 1 -type f -name "*.${SYS_NAME}" -print0 \
-| while IFS= read -r -d '' file; do
-    base=$(basename "$file" ".${SYS_NAME}")
-    ext="${base##*.}"
-    #echo ln -rs "${file#${TOP_DIR}/}" "${base}"
-    ln -vrs "${file}" "${TOP_DIR}/${base%${ext}}local.$ext"
-done
-

tipi-compose.yml

@@ -1,37 +1,16 @@
 services:
   runtipi-reverse-proxy:
-    volumes:
-    - type: bind
-      source: ./traefik/shared
-      target: /shared
-      read_only: false
-    - type: bind
-      source: ./traefik
-      target: /srv/traefik
-      read_only: false
-    - type: bind
-      source: ./user-config/_traefik/dynamic/
-      target: /srv/traefik/dynamic/
-      read_only: true
-    - type: bind
-      source: ./user-config/_traefik/static.yml
-      target: /srv/traefik/static.yml
-      read_only: true
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "2m"
-        max-file: "3"
     ports:
       - 8080:8080
     command: 
-      - '--log.level=DEBUG'
-      - '--configFile=/srv/traefik/static.yml'
+      - '--providers.docker'
+      - '--providers.file.directory=/srv/runtipi/user-config/_traefik.dynamic'
       - '--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}'
+      - '--certificatesresolvers.myresolver.acme.storage=/shared/acme.json'
+      - '--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare'
     environment:
-      CF_API_EMAIL: "${ACME_EMAIL:?}"
-      CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN:?}"
-      TRAEFIK_API_DISABLEDASHBOARDAD: "true"
+      CF_API_EMAIL: "${ACME_EMAIL}"
+      CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN}"
     networks:
     - tipi_main_network
     - tipi_internal_network

vaultwarden/docker-compose.yml

@@ -16,12 +16,14 @@ services:
     volumes:
     - /srv/vaultwarden/data:/data
     labels:
-      # Websecure
-      traefik.http.routers.vaultwarden.rule: Host(`www.${ROOT_DOMAIN}`)${APP_ROUTE_OPTIONAL:-}
-      # traefik.http.routers.vaultwarden-more.entrypoints: websecure
-      # traefik.http.routers.vaultwarden-more.service: vaultwarden
-      # traefik.http.routers.vaultwarden-more.tls: true
-      # traefik.http.routers.vaultwarden-more.tls.certresolver: myresolver
+    # Main
+      traefik.docker.network: runtipi_tipi_main_network
+    # # Websecure
+      traefik.http.routers.vaultwarden-more.rule: Host(`vault.lksz.me`)${APP_ROUTE_OPTIONAL:-}
+      traefik.http.routers.vaultwarden-more.entrypoints: websecure
+      traefik.http.routers.vaultwarden-more.service: vaultwarden
+      traefik.http.routers.vaultwarden-more.tls: true
+      traefik.http.routers.vaultwarden-more.tls.certresolver: myresolver
 networks:
   vaultwarden_pg_dockge:
     external: true