Initial server configuration

.gitignore

@@ -0,0 +1,3 @@
+data
+db
+.env

compose.yml

@@ -0,0 +1,19 @@
+# /services/portainer/compose.yml
+
+services:
+  portainer:
+    image: portainer/portainer-ce:lts
+    container_name: portainer
+    restart: always
+    networks:
+      - traefik
+    ports:
+      - 8000:8000
+      - 9443:9443
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - portainer_data:/data
+
+networks:
+  traefik:
+    external: true

gitea/compose.yml

@@ -0,0 +1,39 @@
+# /services/gitea/compose.yml
+
+services:
+  gitea:
+    image: gitea/gitea:1
+    container_name: gitea
+    restart: always
+    depends_on:
+      - gitea_db
+    environment:
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=gitea_db:5432
+      - GITEA__database__NAME=gitea
+      - GITEA__database__USER=gitea
+      - GITEA__database__PASSWD=${DB_PASSWORD}
+    networks:
+      - default
+      - traefik
+    volumes:
+      - ./data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+
+  gitea_db:
+    image: postgres:17
+    container_name: gitea_db
+    restart: always
+    environment:
+      - POSTGRES_DB=gitea
+      - POSTGRES_USER=gitea
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
+    networks:
+      - default
+    volumes:
+      - ./db:/var/lib/postgresql/data
+
+networks:
+  traefik:
+    external: true

nextcloud/compose.yml

@@ -0,0 +1,46 @@
+# /services/nextcloud/compose.yml
+
+services:
+  nextcloud:
+    image: nextcloud:31
+    container_name: nextcloud
+    restart: always
+    depends_on:
+      - nextcloud_db
+      - nextcloud_redis
+    environment:
+      - POSTGRES_HOST=nextcloud_db
+      - POSTGRES_DB=nextcloud
+      - POSTGRES_USER=nextcloud
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
+      - REDIS_HOST=nextcloud_redis
+    networks:
+      - default
+      - traefik
+    volumes:
+      - ./config/opcache.ini:/usr/local/etc/php/conf.d/opcache.ini:ro
+      - ./data:/var/www/html
+
+  nextcloud_db:
+    image: postgres:17
+    container_name: nextcloud_db
+    restart: always
+    environment:
+      - POSTGRES_DB=nextcloud
+      - POSTGRES_USER=nextcloud
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
+    networks:
+      - default
+    volumes:
+      - ./db:/var/lib/postgresql/data
+
+  nextcloud_redis:
+    image: redis:8
+    container_name: nextcloud_redis
+    restart: always
+    networks:
+      - default
+
+networks:
+  traefik:
+    external: true

nextcloud/config/opcache.ini

@@ -0,0 +1,8 @@
+[opcache]
+opcache.enable=1
+opcache.enable_cli=1
+opcache.memory_consumption=256
+opcache.interned_strings_buffer=16
+opcache.max_accelerated_files=10000
+opcache.revalidate_freq=1
+opcache.save_comments=1

portainer/compose.yml

@@ -0,0 +1,16 @@
+# /services/portainer/compose.yml
+
+services:
+  portainer:
+    image: portainer/portainer-ce:lts
+    container_name: portainer
+    restart: always
+    networks:
+      - traefik
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+
+networks:
+  traefik:
+    external: true

traefik/compose.yml

@@ -0,0 +1,18 @@
+# /services/traefik/compose.yml
+
+services:
+  traefik:
+    image: traefik:3
+    container_name: traefik
+    restart: always
+    networks:
+      - traefik
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - ./:/etc/traefik
+
+networks:
+  traefik:
+    external: true

traefik/config/dashboard.yml

@@ -0,0 +1,9 @@
+# /services/traefik/config/dashboard.yml
+
+http:
+  routers:
+    traefik:
+      entryPoints:
+        - https
+      rule: Host(`traefik.eliasfink.de`)
+      service: api@internal

traefik/config/gitea.yml

@@ -0,0 +1,15 @@
+# /services/traefik/config/gitea.yml
+
+http:
+  routers:
+    git:
+      entryPoints:
+        - https
+      rule: Host(`git.eliasfink.de`)
+      service: gitea
+
+  services:
+    gitea:
+      loadBalancer:
+        servers:
+          - url: http://gitea:3000

traefik/config/home.yml

@@ -0,0 +1,18 @@
+# /services/traefik/config/home.yml
+
+http:
+  routers:
+    server:
+      entryPoints:
+        - https
+      rule: Host(`server.eliasfink.de`)
+      middlewares:
+        - home-redirect
+      service: noop@internal
+
+  middlewares:
+    home-redirect:
+      redirectRegex:
+        permanent: true
+        regex: ^.+$
+        replacement: https://eliasfink.de

traefik/config/nextcloud.yml

@@ -0,0 +1,15 @@
+# /services/traefik/config/nextcloud.yml
+
+http:
+  routers:
+    cloud:
+      entryPoints:
+        - https
+      rule: Host(`cloud.eliasfink.de`)
+      service: nextcloud
+
+  services:
+    nextcloud:
+      loadBalancer:
+        servers:
+          - url: http://nextcloud:80

traefik/config/portainer.yml

@@ -0,0 +1,15 @@
+# /services/traefik/config/portainer.yml
+
+http:
+  routers:
+    portainer:
+      entryPoints:
+        - https
+      rule: Host(`portainer.eliasfink.de`)
+      service: portainer
+
+  services:
+    portainer:
+      loadBalancer:
+        servers:
+          - url: http://portainer:9443

traefik/config/security.yml

@@ -0,0 +1,16 @@
+# /services/traefik/config/security.yml
+
+http:
+  middlewares:
+    default-security:
+      chain:
+        middlewares:
+          - secure-headers
+    secure-headers:
+      headers:
+        hostsProxyHeaders:
+          - X-Forwarded-Host
+        stsSeconds: 31536000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        referrerPolicy: same-origin

traefik/traefik.yml

@@ -0,0 +1,34 @@
+# /services/traefik/traefik.yml
+
+global:
+  checkNewVersion: true
+  sendAnonymousUsage: false
+
+entryPoints:
+  http:
+    address: :80
+    http:
+      redirections:
+        entryPoint:
+          to: https
+  https:
+    address: :443
+    http:
+      middlewares:
+        - default-security
+      tls:
+        certResolver: letsencrypt
+
+api: {}
+
+providers:
+  file:
+    directory: /etc/traefik/config
+    watch: true
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: mail@eliasfink.de
+    # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # use staging server instead of production
+      tlsChallenge: {}

watchtower/compose.yml

@@ -0,0 +1,12 @@
+# /services/watchtower/compose.yml
+
+services:
+  watchtower:
+    image: containrrr/watchtower:arm64v8-latest
+    container_name: watchtower
+    restart: always
+    command:
+      --cleanup
+      --schedule "0 3 * * *"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock