Change overleaf domain to latex.eliasfink.de

This reverts commit 29b35c2a22.

.gitignore

@@ -1,3 +1,8 @@
+# Folders
+cache
+certs
 data
 db
-.env
+
+# Files
+.env

authentik/compose.yml

@@ -0,0 +1,79 @@
+# /services/authentik/compose.yml
+
+services:
+  authentik_server:
+    image: authentik/server:2025.10
+    container_name: authentik_server
+    restart: always
+    command: server
+    depends_on:
+      authentik_db:
+        condition: service_healthy
+    environment:
+      AUTHENTIK_POSTGRESQL__HOST: authentik_db
+      AUTHENTIK_POSTGRESQL__NAME: authentik
+      AUTHENTIK_POSTGRESQL__USER: authentik
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${DB_PASSWORD}
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
+    networks:
+      - default
+      - traefik
+    volumes:
+      - ./data/media:/media
+      - ./data/templates:/templates
+
+  authentik_worker:
+    image: authentik/server:2025.10
+    container_name: authentik_worker
+    restart: always
+    command: worker
+    depends_on:
+      authentik_db:
+        condition: service_healthy
+    environment:
+      AUTHENTIK_POSTGRESQL__HOST: authentik_db
+      AUTHENTIK_POSTGRESQL__NAME: authentik
+      AUTHENTIK_POSTGRESQL__USER: authentik
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${DB_PASSWORD}
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
+    networks:
+      - default
+    user: root
+    volumes:
+      - ./certs:/certs
+      - ./data/media:/media
+      - ./data/templates:/templates
+      - /var/run/docker.sock:/var/run/docker.sock
+  
+  authentik_proxy:
+    image: authentik/proxy:2025.10
+    container_name: authentik_proxy
+    restart: always
+    environment:
+      AUTHENTIK_HOST: https://login.eliasfink.de
+      AUTHENTIK_TOKEN: ${AUTHENTIK_OUTPOST_TOKEN}
+    networks:
+      - default
+      - traefik
+
+  authentik_db:
+    image: postgres:16
+    container_name: authentik_db
+    restart: always
+    environment:
+      POSTGRES_DB: authentik
+      POSTGRES_USER: authentik
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+    healthcheck:
+      test: pg_isready
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    networks:
+      - default
+    volumes:
+      - ./db:/var/lib/postgresql/data
+
+networks:
+  traefik:
+    external: true

gitea/compose.yml

@@ -6,13 +6,20 @@ services:
     container_name: gitea
     restart: always
     depends_on:
-      - gitea_db
+      gitea_db:
+        condition: service_healthy
     environment:
-      - GITEA__database__DB_TYPE=postgres
+      GITEA_CUSTOM: /data/gitea/custom
-      - GITEA__database__HOST=gitea_db:5432
+      GITEA__database__DB_TYPE: postgres
-      - GITEA__database__NAME=gitea
+      GITEA__database__HOST: gitea_db:5432
-      - GITEA__database__USER=gitea
+      GITEA__database__NAME: gitea
-      - GITEA__database__PASSWD=${DB_PASSWORD}
+      GITEA__database__USER: gitea
+      GITEA__database__PASSWD: ${DB_PASSWORD}
+    healthcheck:
+      test: curl -f http://localhost:3000/api/healthz || exit 1
+      interval: 30s
+      timeout: 10s
+      retries: 3
     networks:
       - default
       - traefik
@@ -26,9 +33,14 @@ services:
     container_name: gitea_db
     restart: always
     environment:
-      - POSTGRES_DB=gitea
+      POSTGRES_DB: gitea
-      - POSTGRES_USER=gitea
+      POSTGRES_USER: gitea
-      - POSTGRES_PASSWORD=${DB_PASSWORD}
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+    healthcheck:
+      test: pg_isready
+      interval: 30s
+      timeout: 10s
+      retries: 3
     networks:
       - default
     volumes:
@@ -36,4 +48,4 @@ services:
 
 networks:
   traefik:
-    external: true
+    external: true

hedgedoc/compose.yml

@@ -0,0 +1,52 @@
+# /services/hedgedoc/compose.yml
+
+services:
+  hedgedoc:
+    image: quay.io/hedgedoc/hedgedoc:1.10.3
+    container_name: hedgedoc
+    restart: always
+    depends_on:
+      hedgedoc_db:
+        condition: service_healthy
+    environment:
+      CMD_ALLOW_EMAIL_REGISTER: false
+      CMD_DB_URL: postgres://hedgedoc:${DB_PASSWORD}@hedgedoc_db:5432/hedgedoc
+      CMD_DOMAIN: pad.eliasfink.de
+      CMD_OAUTH2_PROVIDERNAME: EFlogin
+      CMD_OAUTH2_CLIENT_ID: ${OAUTH2_CLIENT_ID}
+      CMD_OAUTH2_CLIENT_SECRET: ${OAUTH2_CLIENT_SECRET} 
+      CMD_OAUTH2_SCOPE: openid email profile
+      CMD_OAUTH2_AUTHORIZATION_URL: https://login.eliasfink.de/application/o/authorize/
+      CMD_OAUTH2_TOKEN_URL: https://login.eliasfink.de/application/o/token/
+      CMD_OAUTH2_USER_PROFILE_URL: https://login.eliasfink.de/application/o/userinfo/
+      CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: name
+      CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: email
+      CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: preferred_username
+      CMD_PROTOCOL_USESSL: true
+    networks:
+      - default
+      - traefik
+    volumes:
+      - ./data/uploads:/hedgedoc/public/uploads
+
+  hedgedoc_db:
+    image: postgres:17
+    container_name: hedgedoc_db
+    restart: always
+    environment:
+      POSTGRES_DB: hedgedoc
+      POSTGRES_USER: hedgedoc
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+    healthcheck:
+      test: pg_isready
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    networks:
+      - default
+    volumes:
+      - ./db:/var/lib/postgresql/data
+
+networks:
+  traefik:
+    external: true

nextcloud/compose.yml

@@ -2,18 +2,25 @@
 
 services:
   nextcloud:
-    image: nextcloud:31
+    image: nextcloud:32
     container_name: nextcloud
     restart: always
     depends_on:
-      - nextcloud_db
+      nextcloud_db:
-      - nextcloud_redis
+        condition: service_healthy
+      nextcloud_redis:
+        condition: service_healthy
     environment:
-      - POSTGRES_HOST=nextcloud_db
+      POSTGRES_HOST: nextcloud_db
-      - POSTGRES_DB=nextcloud
+      POSTGRES_DB: nextcloud
-      - POSTGRES_USER=nextcloud
+      POSTGRES_USER: nextcloud
-      - POSTGRES_PASSWORD=${DB_PASSWORD}
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
-      - REDIS_HOST=nextcloud_redis
+      REDIS_HOST: nextcloud_redis
+    healthcheck:
+      test: curl -f http://localhost/status.php || exit 1
+      interval: 30s
+      timeout: 10s
+      retries: 3
     networks:
       - default
       - traefik
@@ -26,9 +33,14 @@ services:
     container_name: nextcloud_db
     restart: always
     environment:
-      - POSTGRES_DB=nextcloud
+      POSTGRES_DB: nextcloud
-      - POSTGRES_USER=nextcloud
+      POSTGRES_USER: nextcloud
-      - POSTGRES_PASSWORD=${DB_PASSWORD}
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+    healthcheck:
+      test: pg_isready
+      interval: 30s
+      timeout: 10s
+      retries: 3
     networks:
       - default
     volumes:
@@ -38,9 +50,16 @@ services:
     image: redis:8
     container_name: nextcloud_redis
     restart: always
+    healthcheck:
+      test: redis-cli ping
+      interval: 30s
+      timeout: 10s
+      retries: 3
     networks:
       - default
+    volumes:
+      - ./cache:/data
 
 networks:
   traefik:
-    external: true
+    external: true

nextcloud/config/opcache.ini

@@ -1,8 +1,8 @@
 [opcache]
 opcache.enable=1
 opcache.enable_cli=1
-opcache.memory_consumption=256
 opcache.interned_strings_buffer=16
 opcache.max_accelerated_files=10000
+opcache.memory_consumption=256
 opcache.revalidate_freq=1
-opcache.save_comments=1
+opcache.save_comments=1

overleaf/Dockerfile

@@ -0,0 +1,5 @@
+FROM sharelatex/sharelatex:main
+
+RUN tlmgr update --self && \
+    tlmgr install scheme-full && \
+    tlmgr path add

overleaf/build-images.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+cd /overleaf
+git pull
+
+cd server-ce
+make build-base
+make build-community
+
+cd /services/overleaf
+docker compose up -d --build

overleaf/compose.yml

@@ -0,0 +1,74 @@
+services:
+  overleaf:
+    build: .
+    container_name: overleaf
+    restart: always
+    depends_on:
+      overleaf_db:
+        condition: service_healthy
+      overleaf_redis:
+        condition: service_healthy
+    environment:
+      ENABLE_CONVERSIONS: true
+      OVERLEAF_ADMIN_EMAIL: mail@eliasfink.de
+      OVERLEAF_APP_NAME: EFlatex
+      OVERLEAF_EMAIL_FROM_ADDRESS: no-reply@eliasfink.de
+      OVERLEAF_EMAIL_SMTP_HOST: mxe92f.netcup.net
+      OVERLEAF_EMAIL_SMTP_USER: no-reply@eliasfink.de
+      OVERLEAF_EMAIL_SMTP_PASS: ${EMAIL_PASSWORD}
+      OVERLEAF_EMAIL_SMTP_PORT: 465
+      OVERLEAF_EMAIL_SMTP_SECURE: true
+      OVERLEAF_HEADER_IMAGE_URL: https://static.eliasfink.de/img/logo/logo.svg
+      OVERLEAF_MONGO_URL: mongodb://overleaf_db/overleaf
+      OVERLEAF_REDIS_HOST: overleaf_redis
+      OVERLEAF_RIGHT_FOOTER: '[{"text": "Datenschutz", "url" : "https://privacy.eliasfink.de"}]'
+      OVERLEAF_SITE_LANGUAGE: de
+      OVERLEAF_SITE_URL: https://latex.eliasfink.de
+      REDIS_HOST: overleaf_redis
+    labels:
+      - com.centurylinklabs.watchtower.enable=false
+    networks:
+      - default
+      - traefik
+    stop_grace_period: 60s
+    volumes:
+      - ./data:/var/lib/overleaf
+
+  overleaf_db:
+    image: mongo:6.0
+    container_name: overleaf_db
+    restart: always
+    command: --replSet overleaf
+    environment:
+      MONGO_INITDB_DATABASE: overleaf
+    extra_hosts:
+      - overleaf_db:127.0.0.1
+    healthcheck:
+      test: echo 'db.stats().ok' | mongosh localhost:27017/test --quiet
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    networks:
+      - default
+    volumes:
+      - ./db/config:/data/configdb
+      - ./db/data:/data/db
+      - ./config/mongodb-init-replica-set.js:/docker-entrypoint-initdb.d/mongodb-init-replica-set.js
+
+  overleaf_redis:
+    image: redis:6.2
+    container_name: overleaf_redis
+    restart: always
+    healthcheck:
+      test: redis-cli ping
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    networks:
+      - default
+    volumes:
+      - ./cache:/data
+
+networks:
+  traefik:
+    external: true

overleaf/config/mongodb-init-replica-set.js

@@ -0,0 +1,3 @@
+/* eslint-disable no-undef */
+
+rs.initiate({ _id: 'overleaf', members: [{ _id: 0, host: 'overleaf_db:27017' }] })

portainer/compose.yml

@@ -13,4 +13,4 @@ services:
 
 networks:
   traefik:
-    external: true
+    external: true

traefik/compose.yml

@@ -5,14 +5,20 @@ services:
     image: traefik:3
     container_name: traefik
     restart: always
+    healthcheck:
+      test: traefik healthcheck
+      interval: 30s
+      timeout: 10s
+      retries: 3
     networks:
       - traefik
     ports:
       - 80:80
       - 443:443
+      - 8080:8080
     volumes:
       - ./:/etc/traefik
 
 networks:
   traefik:
-    external: true
+    external: true

traefik/config/dashboard.yml

@@ -1,9 +0,0 @@
-# /services/traefik/config/dashboard.yml
-
-http:
-  routers:
-    traefik:
-      entryPoints:
-        - https
-      rule: Host(`traefik.eliasfink.de`)
-      service: api@internal

traefik/config/middlewares/default-chain.yml

@@ -0,0 +1,9 @@
+# /services/traefik/config/middlewares/default-chain.yml
+
+http:
+  middlewares:
+    default-chain:
+      chain:
+        middlewares:
+          - favicon-redirection
+          - security-headers

traefik/config/middlewares/favicon-redirection.yml

@@ -0,0 +1,9 @@
+# /services/traefik/config/middlewares/favicon-redirection.yml
+
+http:
+  middlewares:
+    favicon-redirection:
+      redirectRegex:
+        permanent: true
+        regex: ^.+\/favicon\.ico$
+        replacement: https://static.eliasfink.de/img/favicon/favicon.ico

traefik/config/middlewares/home-redirection.yml

@@ -1,4 +1,4 @@
-# /services/traefik/config/home.yml
+# /services/traefik/config/middlewares/home-redirection.yml
 
 http:
   routers:
@@ -7,12 +7,12 @@ http:
         - https
       rule: Host(`server.eliasfink.de`)
       middlewares:
-        - home-redirect
+        - home-redirection
       service: noop@internal
 
   middlewares:
-    home-redirect:
+    home-redirection:
       redirectRegex:
         permanent: true
         regex: ^.+$
-        replacement: https://eliasfink.de
+        replacement: https://eliasfink.de

traefik/config/middlewares/security-headers.yml

@@ -1,16 +1,12 @@
-# /services/traefik/config/security.yml
+# /services/traefik/config/middlewares/security-headers.yml
 
 http:
   middlewares:
-    default-security:
+    security-headers:
-      chain:
-        middlewares:
-          - secure-headers
-    secure-headers:
       headers:
         hostsProxyHeaders:
           - X-Forwarded-Host
         stsSeconds: 31536000
         stsIncludeSubdomains: true
         stsPreload: true
-        referrerPolicy: same-origin
+        referrerPolicy: same-origin

traefik/config/middlewares/traefik-dashboard-auth.yml

@@ -0,0 +1,30 @@
+# /services/traefik/config/middlewares/dashboard.yml
+
+http:
+  routers:
+    traefik:
+      entryPoints:
+        - https
+      rule: Host(`traefik.eliasfink.de`)
+      middlewares:
+        - traefik-dashboard-auth
+      service: api@internal
+
+  middlewares:
+    traefik-dashboard-auth:
+      forwardAuth:
+        address: http://authentik_proxy:9000/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-groups
+          - X-authentik-entitlements
+          - X-authentik-email
+          - X-authentik-name
+          - X-authentik-uid
+          - X-authentik-jwt
+          - X-authentik-meta-jwks
+          - X-authentik-meta-outpost
+          - X-authentik-meta-provider
+          - X-authentik-meta-app
+          - X-authentik-meta-version

traefik/config/services/authentik.yml

@@ -0,0 +1,24 @@
+# /services/traefik/config/services/authentik.yml
+
+http:
+  routers:
+    login:
+      entryPoints:
+        - https
+      rule: Host(`login.eliasfink.de`)
+      service: authentik
+    login_outpost:
+      entryPoints:
+        - https
+      rule: Host(`login.eliasfink.de`) && PathPrefix(`/outpost.goauthentik.io/`)
+      service: authentik_proxy
+
+  services:
+    authentik:
+      loadBalancer:
+        servers:
+          - url: http://authentik_server:9000
+    authentik_proxy:
+      loadBalancer:
+        servers:
+          - url: http://authentik_proxy:9000

traefik/config/services/gitea.yml

@@ -1,4 +1,4 @@
-# /services/traefik/config/gitea.yml
+# /services/traefik/config/services/gitea.yml
 
 http:
   routers:
@@ -12,4 +12,4 @@ http:
     gitea:
       loadBalancer:
         servers:
-          - url: http://gitea:3000
+          - url: http://gitea:3000

traefik/config/services/hedgedoc.yml

@@ -0,0 +1,15 @@
+# /services/traefik/config/services/hedgedoc.yml
+
+http:
+  routers:
+    pad:
+      entryPoints:
+        - https
+      rule: Host(`pad.eliasfink.de`)
+      service: hedgedoc
+
+  services:
+    hedgedoc:
+      loadBalancer:
+        servers:
+          - url: http://hedgedoc:3000

traefik/config/services/nextcloud.yml

@@ -1,4 +1,4 @@
-# /services/traefik/config/nextcloud.yml
+# /services/traefik/config/services/nextcloud.yml
 
 http:
   routers:
@@ -12,4 +12,4 @@ http:
     nextcloud:
       loadBalancer:
         servers:
-          - url: http://nextcloud:80
+          - url: http://nextcloud:80

traefik/config/services/overleaf.yml

@@ -0,0 +1,15 @@
+# /services/traefik/config/services/overleaf.yml
+
+http:
+  routers:
+    latex:
+      entryPoints:
+        - https
+      rule: Host(`latex.eliasfink.de`)
+      service: overleaf
+
+  services:
+    overleaf:
+      loadBalancer:
+        servers:
+          - url: http://overleaf:80

traefik/config/services/portainer.yml

@@ -1,4 +1,4 @@
-# /services/traefik/config/portainer.yml
+# /services/traefik/config/services/portainer.yml
 
 http:
   routers:
@@ -12,4 +12,4 @@ http:
     portainer:
       loadBalancer:
         servers:
-          - url: http://portainer:9443
+          - url: http://portainer:9000

traefik/config/services/uptime-kuma.yml

@@ -0,0 +1,15 @@
+# /services/traefik/config/services/uptime-kuma.yml
+
+http:
+  routers:
+    status:
+      entryPoints:
+        - https
+      rule: Host(`status.eliasfink.de`)
+      service: authentik_proxy
+
+# services:
+#   uptime-kuma:
+#     loadBalancer:
+#       servers:
+#         - url: http://uptime-kuma:3001

traefik/traefik.yml

@@ -1,9 +1,12 @@
 # /services/traefik/traefik.yml
 
 global:
-  checkNewVersion: true
   sendAnonymousUsage: false
 
+api: {}
+
+ping: {}
+
 entryPoints:
   http:
     address: :80
@@ -15,12 +18,10 @@ entryPoints:
     address: :443
     http:
       middlewares:
-        - default-security
+        - default-chain
       tls:
         certResolver: letsencrypt
 
-api: {}
-
 providers:
   file:
     directory: /etc/traefik/config
@@ -29,6 +30,7 @@ providers:
 certificatesResolvers:
   letsencrypt:
     acme:
-      email: mail@eliasfink.de
     # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # use staging server instead of production
-      tlsChallenge: {}
+      email: mail@eliasfink.de
+      storage: /etc/traefik/certs/acme.json
+      tlsChallenge: {}

uptime-kuma/compose.yml

@@ -0,0 +1,16 @@
+# /services/uptime-kuma/compose.yml
+
+services:
+  uptime-kuma:
+    image: louislam/uptime-kuma:2
+    container_name: uptime-kuma
+    restart: always
+    networks:
+      - traefik
+    volumes:
+      - ./data:/app/data
+      - /var/run/docker.sock:/var/run/docker.sock
+
+networks:
+  traefik:
+    external: true

watchtower/compose.yml

@@ -2,11 +2,11 @@
 
 services:
   watchtower:
-    image: containrrr/watchtower:arm64v8-latest
+    image: nickfedor/watchtower:latest
     container_name: watchtower
     restart: always
     command:
       --cleanup
       --schedule "0 3 * * *"
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock