From 981c7856849a407c949237a97ce45df500320cc5 Mon Sep 17 00:00:00 2001
From: Elias Fink <mail@eliasfink.de>
Date: Thu, 26 Jun 2025 20:20:13 +0200
Subject: [PATCH] Initial server configuration

---
 .gitignore                   |  3 +++
 compose.yml                  | 19 +++++++++++++++
 gitea/compose.yml            | 39 ++++++++++++++++++++++++++++++
 nextcloud/compose.yml        | 46 ++++++++++++++++++++++++++++++++++++
 nextcloud/config/opcache.ini |  8 +++++++
 portainer/compose.yml        | 16 +++++++++++++
 traefik/compose.yml          | 18 ++++++++++++++
 traefik/config/dashboard.yml |  9 +++++++
 traefik/config/gitea.yml     | 15 ++++++++++++
 traefik/config/home.yml      | 18 ++++++++++++++
 traefik/config/nextcloud.yml | 15 ++++++++++++
 traefik/config/portainer.yml | 15 ++++++++++++
 traefik/config/security.yml  | 16 +++++++++++++
 traefik/traefik.yml          | 34 ++++++++++++++++++++++++++
 watchtower/compose.yml       | 12 ++++++++++
 15 files changed, 283 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 compose.yml
 create mode 100644 gitea/compose.yml
 create mode 100644 nextcloud/compose.yml
 create mode 100644 nextcloud/config/opcache.ini
 create mode 100644 portainer/compose.yml
 create mode 100644 traefik/compose.yml
 create mode 100644 traefik/config/dashboard.yml
 create mode 100644 traefik/config/gitea.yml
 create mode 100644 traefik/config/home.yml
 create mode 100644 traefik/config/nextcloud.yml
 create mode 100644 traefik/config/portainer.yml
 create mode 100644 traefik/config/security.yml
 create mode 100644 traefik/traefik.yml
 create mode 100644 watchtower/compose.yml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..abdd7d6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+data
+db
+.env
diff --git a/compose.yml b/compose.yml
new file mode 100644
index 0000000..53ee022
--- /dev/null
+++ b/compose.yml
@@ -0,0 +1,19 @@
+# /services/portainer/compose.yml
+
+services:
+  portainer:
+    image: portainer/portainer-ce:lts
+    container_name: portainer
+    restart: always
+    networks:
+      - traefik
+    ports:
+      - 8000:8000
+      - 9443:9443
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - portainer_data:/data
+
+networks:
+  traefik:
+    external: true
diff --git a/gitea/compose.yml b/gitea/compose.yml
new file mode 100644
index 0000000..579d788
--- /dev/null
+++ b/gitea/compose.yml
@@ -0,0 +1,39 @@
+# /services/gitea/compose.yml
+
+services:
+  gitea:
+    image: gitea/gitea:1
+    container_name: gitea
+    restart: always
+    depends_on:
+      - gitea_db
+    environment:
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=gitea_db:5432
+      - GITEA__database__NAME=gitea
+      - GITEA__database__USER=gitea
+      - GITEA__database__PASSWD=${DB_PASSWORD}
+    networks:
+      - default
+      - traefik
+    volumes:
+      - ./data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+
+  gitea_db:
+    image: postgres:17
+    container_name: gitea_db
+    restart: always
+    environment:
+      - POSTGRES_DB=gitea
+      - POSTGRES_USER=gitea
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
+    networks:
+      - default
+    volumes:
+      - ./db:/var/lib/postgresql/data
+
+networks:
+  traefik:
+    external: true
diff --git a/nextcloud/compose.yml b/nextcloud/compose.yml
new file mode 100644
index 0000000..05fa7a7
--- /dev/null
+++ b/nextcloud/compose.yml
@@ -0,0 +1,46 @@
+# /services/nextcloud/compose.yml
+
+services:
+  nextcloud:
+    image: nextcloud:31
+    container_name: nextcloud
+    restart: always
+    depends_on:
+      - nextcloud_db
+      - nextcloud_redis
+    environment:
+      - POSTGRES_HOST=nextcloud_db
+      - POSTGRES_DB=nextcloud
+      - POSTGRES_USER=nextcloud
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
+      - REDIS_HOST=nextcloud_redis
+    networks:
+      - default
+      - traefik
+    volumes:
+      - ./config/opcache.ini:/usr/local/etc/php/conf.d/opcache.ini:ro
+      - ./data:/var/www/html
+
+  nextcloud_db:
+    image: postgres:17
+    container_name: nextcloud_db
+    restart: always
+    environment:
+      - POSTGRES_DB=nextcloud
+      - POSTGRES_USER=nextcloud
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
+    networks:
+      - default
+    volumes:
+      - ./db:/var/lib/postgresql/data
+
+  nextcloud_redis:
+    image: redis:8
+    container_name: nextcloud_redis
+    restart: always
+    networks:
+      - default
+
+networks:
+  traefik:
+    external: true
diff --git a/nextcloud/config/opcache.ini b/nextcloud/config/opcache.ini
new file mode 100644
index 0000000..3a55bdb
--- /dev/null
+++ b/nextcloud/config/opcache.ini
@@ -0,0 +1,8 @@
+[opcache]
+opcache.enable=1
+opcache.enable_cli=1
+opcache.memory_consumption=256
+opcache.interned_strings_buffer=16
+opcache.max_accelerated_files=10000
+opcache.revalidate_freq=1
+opcache.save_comments=1
diff --git a/portainer/compose.yml b/portainer/compose.yml
new file mode 100644
index 0000000..fef8994
--- /dev/null
+++ b/portainer/compose.yml
@@ -0,0 +1,16 @@
+# /services/portainer/compose.yml
+
+services:
+  portainer:
+    image: portainer/portainer-ce:lts
+    container_name: portainer
+    restart: always
+    networks:
+      - traefik
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+
+networks:
+  traefik:
+    external: true
diff --git a/traefik/compose.yml b/traefik/compose.yml
new file mode 100644
index 0000000..72fbf26
--- /dev/null
+++ b/traefik/compose.yml
@@ -0,0 +1,18 @@
+# /services/traefik/compose.yml
+
+services:
+  traefik:
+    image: traefik:3
+    container_name: traefik
+    restart: always
+    networks:
+      - traefik
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - ./:/etc/traefik
+
+networks:
+  traefik:
+    external: true
diff --git a/traefik/config/dashboard.yml b/traefik/config/dashboard.yml
new file mode 100644
index 0000000..ab311da
--- /dev/null
+++ b/traefik/config/dashboard.yml
@@ -0,0 +1,9 @@
+# /services/traefik/config/dashboard.yml
+
+http:
+  routers:
+    traefik:
+      entryPoints:
+        - https
+      rule: Host(`traefik.eliasfink.de`)
+      service: api@internal
diff --git a/traefik/config/gitea.yml b/traefik/config/gitea.yml
new file mode 100644
index 0000000..cebcf9e
--- /dev/null
+++ b/traefik/config/gitea.yml
@@ -0,0 +1,15 @@
+# /services/traefik/config/gitea.yml
+
+http:
+  routers:
+    git:
+      entryPoints:
+        - https
+      rule: Host(`git.eliasfink.de`)
+      service: gitea
+
+  services:
+    gitea:
+      loadBalancer:
+        servers:
+          - url: http://gitea:3000
diff --git a/traefik/config/home.yml b/traefik/config/home.yml
new file mode 100644
index 0000000..534b8f2
--- /dev/null
+++ b/traefik/config/home.yml
@@ -0,0 +1,18 @@
+# /services/traefik/config/home.yml
+
+http:
+  routers:
+    server:
+      entryPoints:
+        - https
+      rule: Host(`server.eliasfink.de`)
+      middlewares:
+        - home-redirect
+      service: noop@internal
+
+  middlewares:
+    home-redirect:
+      redirectRegex:
+        permanent: true
+        regex: ^.+$
+        replacement: https://eliasfink.de
diff --git a/traefik/config/nextcloud.yml b/traefik/config/nextcloud.yml
new file mode 100644
index 0000000..8face34
--- /dev/null
+++ b/traefik/config/nextcloud.yml
@@ -0,0 +1,15 @@
+# /services/traefik/config/nextcloud.yml
+
+http:
+  routers:
+    cloud:
+      entryPoints:
+        - https
+      rule: Host(`cloud.eliasfink.de`)
+      service: nextcloud
+
+  services:
+    nextcloud:
+      loadBalancer:
+        servers:
+          - url: http://nextcloud:80
diff --git a/traefik/config/portainer.yml b/traefik/config/portainer.yml
new file mode 100644
index 0000000..e8608c6
--- /dev/null
+++ b/traefik/config/portainer.yml
@@ -0,0 +1,15 @@
+# /services/traefik/config/portainer.yml
+
+http:
+  routers:
+    portainer:
+      entryPoints:
+        - https
+      rule: Host(`portainer.eliasfink.de`)
+      service: portainer
+
+  services:
+    portainer:
+      loadBalancer:
+        servers:
+          - url: http://portainer:9443
diff --git a/traefik/config/security.yml b/traefik/config/security.yml
new file mode 100644
index 0000000..8164e5a
--- /dev/null
+++ b/traefik/config/security.yml
@@ -0,0 +1,16 @@
+# /services/traefik/config/security.yml
+
+http:
+  middlewares:
+    default-security:
+      chain:
+        middlewares:
+          - secure-headers
+    secure-headers:
+      headers:
+        hostsProxyHeaders:
+          - X-Forwarded-Host
+        stsSeconds: 31536000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        referrerPolicy: same-origin
diff --git a/traefik/traefik.yml b/traefik/traefik.yml
new file mode 100644
index 0000000..e142d26
--- /dev/null
+++ b/traefik/traefik.yml
@@ -0,0 +1,34 @@
+# /services/traefik/traefik.yml
+
+global:
+  checkNewVersion: true
+  sendAnonymousUsage: false
+
+entryPoints:
+  http:
+    address: :80
+    http:
+      redirections:
+        entryPoint:
+          to: https
+  https:
+    address: :443
+    http:
+      middlewares:
+        - default-security
+      tls:
+        certResolver: letsencrypt
+
+api: {}
+
+providers:
+  file:
+    directory: /etc/traefik/config
+    watch: true
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: mail@eliasfink.de
+    # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # use staging server instead of production
+      tlsChallenge: {}
diff --git a/watchtower/compose.yml b/watchtower/compose.yml
new file mode 100644
index 0000000..5528e33
--- /dev/null
+++ b/watchtower/compose.yml
@@ -0,0 +1,12 @@
+# /services/watchtower/compose.yml
+
+services:
+  watchtower:
+    image: containrrr/watchtower:arm64v8-latest
+    container_name: watchtower
+    restart: always
+    command:
+      --cleanup
+      --schedule "0 3 * * *"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock