SimpleHomelab
diff --git a/‎.env.example‎
Lines changed: 22 additions & 117 deletions b/‎.env.example‎
Lines changed: 22 additions & 117 deletions
diff --git a/‎.gitignore‎
Lines changed: 25 additions & 22 deletions b/‎.gitignore‎
Lines changed: 25 additions & 22 deletions
diff --git a/‎README.md‎
Lines changed: 7 additions & 7 deletions b/‎README.md‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎appdata/authelia/configuration.yml.example‎
Lines changed: 11 additions & 42 deletions b/‎appdata/authelia/configuration.yml.example‎
Lines changed: 11 additions & 42 deletions
diff --git a/‎appdata/authelia/users.yml.example‎
Lines changed: 2 additions & 1 deletion b/‎appdata/authelia/users.yml.example‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎appdata/nginx/common/acl.conf‎
Lines changed: 8 additions & 0 deletions b/‎appdata/nginx/common/acl.conf‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎appdata/nginx/common/disabled/commentspam.conf.disabled‎
Lines changed: 21 additions & 0 deletions b/‎appdata/nginx/common/disabled/commentspam.conf.disabled‎
Lines changed: 21 additions & 0 deletions
@@ -1,117 +1,22 @@
-#### Comment out or delete any unused entries
-
-#### EXAMPLE 
-# DO NOT USE QUOTES TO ENCLOSE THE VALUES
-EXAMPLE_VARIABLE=true
-EXAMPLE_PORT=1234
-EXAMPLE_PASSWORD=kdos9lsk@1l1!
-EXAMPLE_EMAIL=[email protected]
-EXAMPLE_IP=123.123.123.123
-
-#### BELOW ARE SOME OF THE VARIABLES USED IN docker-compose.yml
-
-##### PORTS
-
-APCUPSD_PORT=
-BAZARR_PORT=
-EMBY_PORT=
-GUACAMOLE_PORT=
-HA_DOCKERMON_PORT=
-HEIMDALL_PORT=
-INFLUXDB_PORT=
-IPVANISH_PROXY_PORT=
-IPVANISH_REMOTE_SERVER=
-JACKETT_PORT=
-JDOWNLOADER_PORT=
-LIDARR_PORT=
-MOSQUITTO_HTTP_PORT=
-MOSQUITTO_HTTPS_PORT=
-NZBHYDRA_PORT=
-ORGANIZER_PORT=
-PHPMYADMIN_PORT=
-PLEX_PORT=
-PLEX_WEB_TOOLS_PORT=
-QBITTORRENT_PORT=
-RADARR_PORT= #If you change radarr port then update plex meta agent
-SABNZBD_PORT=
-SONARR_PORT= #If you change sonarr port then update plex meta agent
-TAUTULLI_PORT=
-TRANSMISSION_PORT=
-ZONEMINDER_HTTP_PORT=
-ZONEMINDER_HTTPS_PORT=
-
-##### SYSTEM
-
-PUID=
-PGID=
-TZ=America/New_York
-USERDIR=/home/username
-DOCKERDIR=/home/username/docker
-SECRETSDIR=/home/username/docker/secrets
-SERVER_IP=
-PIHOLE_IP=
-LOCAL_NETWORK=
-LOCAL_IPS=127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
-
-##### DOMAIN
-
-DOMAINNAME=
-CLOUDFLARE_EMAIL=
-CLOUDFLARE_API_KEY=
-CLOUDFLARE_API_TOKEN=
-CLOUDFLARE_ZONEID=
-DUCKDNS_TOKEN=
-CLOUDFLARE_IPS=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22
-
-##### DATABASE
-
-DB_HOST=
-DB_PORT=
-MYSQL_ROOT_PASSWORD=
-
-##### SECURITY AND PRIVACY
-
-IPVANISH_USERNAME=
-IPVANISH_PASSWORD=
-HTTP_USERNAME=
-HTTP_PASSWORD=
-GOOGLE_CLIENT_ID=
-GOOGLE_CLIENT_SECRET=
-OAUTH_SECRET=
-LIDARR_API_KEY=
-RADARR_API_KEY=
-SONARR_API_KEY=
-SABNZBD_API_KEY=
-
-##### NOTIFICATIONS
-
-TGRAM_BOT_TOKEN=
-TGRAM_CHAT_ID=
-MY_EMAIL=
-
-##### APPS
-
-JDOWN_VNC_PASSWD=
-HANDBRAKE_VNC_PASSWD=
-FIREFOX_VNC_PASSWD=
-FILEBOT_VNC_PASSWD=
-QDIRSTAT_VNC_PASSWD=
-MKVTOOLNIX_VNC_PASSWD=
-MAKEMKV_VNC_PASSWD=
-GUAC_MYSQL_USER=
-GUAC_MYSQL_PASSWORD=
-TRANSMISSION_RPC_PASSWORD=
-TRANSMISSION_RPC_USERNAME=
-PIHOLE_WEBPASSWORD=
-
-##### PLEX
-
-PLEX_CLAIM=
-SYN_PLEX=ACCESS-TOKEN@PLEX_SERVER_IP
-NUC_PLEX=ACCESS-TOKEN@PLEX_SERVER_IP
-# Plex libraries section id. Remember to change the numbers below to reflect your library. Add more as needed. 
-# ALWAYS DO A DRY RUN TO VERIFY BEFORE SYNCING
-SYN_PLEX_HOLLYWOOD=1
-NUC_PLEX_HOLLYWOOD=2
-SYN_PLEX_TVSHOWS=2
-NUC_PLEX_TVSHOWS=16
+PUID='1000'
+PGID='1000'
+PRIMARY_USERNAME='anand'
+TZ='Europe/Zurich'
+USERDIR='/home/anand'
+DOCKERDIR='/home/anand/docker'
+LOCAL_IPS='127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12'
+CLOUDFLARE_IPS='173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22'
+HOSTNAME='hs'
+SERVER_LAN_IP='192.168.5.112'
+DOCKER0_IP='172.17.0.1'
+DOMAINNAME_1='example.com'
+DOWNLOADSDIR='/media/ssd/downloads'
+DATADIR1='/media/nas/data'
+DATADIR2='/media/nas/data2'
+MEDIADIR1='/media/nas/data/media'
+MEDIADIR2='/media/nas/data2/media'
+DOCKER_HOST='tcp://socket-proxy:2375'
+DEPLOYRRDASHBOARD_PORT='3050'
+TRAEFIK_PORT='8080'
+ADMINER_PORT='8081'
+...
@@ -53,6 +53,31 @@ scripts/ws-arm/*
 compose/*
 !compose/**
 
+!appdata
+appdata/*
+
+!appdata/authelia
+appdata/authelia/*
+!appdata/authelia/*.example
+
+!appdata/nginx/**
+appdata/nginx/**/*
+!appdata/nginx/**/*.example
+
+!appdata/picard
+appdata/picard/*
+!appdata/picard/*.example
+
+!appdata/rclone
+appdata/rclone/*
+!appdata/rclone/*.example
+
+!appdata/php
+!appdata/php/**
+
+!appdata/nginx
+!appdata/nginx/**
+
 !appdata/traefik3
 appdata/traefik3/*
 !appdata/traefik3/*.example
@@ -115,25 +140,3 @@ appdata/traefik2/rules/ws/*
 !appdata/traefik2/rules/ws/middlewares-*.yml
 !appdata/traefik2/rules/ws/chain-*.yml
 
-!appdata
-appdata/*
-
-!appdata/picard
-appdata/picard/*
-!appdata/picard/*.example
-
-!appdata/authelia
-appdata/authelia/*
-!appdata/authelia/*.example
-
-!appdata/rclone
-appdata/rclone/*
-!appdata/rclone/*.example
-
-!appdata/php
-appdata/php/*
-!appdata/php/*.example
-
-!appdata/nginx
-appdata/nginx/*
-!appdata/nginx/**/*.example
 
@@ -25,16 +25,16 @@ My setup is based on [Deployrr](https://www.simplehomelab.com/deployrr/) and [Ul
 I believe in **simple, energy-efficient homelab** design that maximizes performance while minimizing complexity.
 
 ### 🏠 Networking Architecture
-- **OPNsense** firewall running on Proxmox VM
+- **OPNsense** home firewall running on Proxmox VM (DMZed on ISP router)
 - **Tailscale** mesh networking connecting all hosts
 
 ### 📊 Hardware Specifications
 
 | Component | Specifications | Purpose |
 |-----------|---------------|---------|
-| **TopTon V700 Mini PC** | Intel i7-13800H, 64GB RAM, 2×2TB NVMe ZFS RAID1, 4TB SATA SSD | Primary Proxmox host |
-| **Synology DS918+** | DX517 Expansion, 8GB RAM, 4×18TB SHR2 (×2 volumes) | Storage & legacy apps |
-| **Oracle Ampere A1** | 4 vCPU ARM64, 24GB RAM, 200GB storage | Web server & ARM workloads |
+| **TopTon V700 Mini PC** | Intel i7-13800H, 64GB RAM, 2×2TB NVMe ZFS RAID1, 4TB SATA SSD | Proxmox host that runs my Home Server, Media/Database Server, Home Assistant, Proxmox Backup Server, etc. |
+| **Synology DS918+** | DX517 Expansion, 8GB RAM, 4×18TB SHR2 (×2 volumes) | Primary use is storage. But I tinker with Docker on it. |
+| **Oracle Ampere A1** | 4 vCPU ARM64, 24GB RAM, 200GB storage | Web server and automations |
 
 ---
 
@@ -90,7 +90,7 @@ Legacy configurations in `archives` folder - not actively maintained but useful
 #### ⚙️ Infrastructure Setup
 4. [Install Proxmox on Mini PC with ZFS RAID1 Mirror + 3 Tweaks](https://www.simplehomelab.com/udms-04-install-proxmox-on-mini-pc/) [📹](https://youtu.be/2nIPY7D-UA0)
 5. [Installing and Prepping Ubuntu/Debian](https://www.simplehomelab.com/udms-05-installing-ubuntu-on-proxmox/) [📹](https://youtu.be/-ZSQdJ62r-Q)
-6. [Mounting Remote Folders using Rclone](https://youtu.be/D-XS0biLP14) [📹]
+6. [Mounting Remote Folders using Rclone](https://youtu.be/D-XS0biLP14) [📹](https://youtu.be/D-XS0biLP14)
 7. Mounting Remote Folders using SMB/CIFS *(Coming Soon)*
 8. Mounting Remote Folders using NFS *(Coming Soon)*
 9. Binding Mounting on Proxmox Unprivileged LXC *(Coming Soon)*
@@ -112,8 +112,8 @@ Legacy configurations in `archives` folder - not actively maintained but useful
 
 #### 🔐 Authentication & Security
 19. [Authentication for Docker Apps - Authelia](https://www.simplehomelab.com/udms-19-authelia-docker-compose/) [📹](https://youtu.be/UIq8PLZHBtk)
-20. [Authentication for Docker Apps - Google OAuth 2](https://youtu.be/SCKALXprTQE) [📹]
-21. [Authentication for Docker Apps - Authentik](https://youtu.be/GoUmJAe1MKc) [📹]
+20. [Authentication for Docker Apps - Google OAuth 2](https://youtu.be/SCKALXprTQE) [📹](https://youtu.be/SCKALXprTQE)
+21. [Authentication for Docker Apps - Authentik](https://youtu.be/GoUmJAe1MKc) [📹](https://youtu.be/GoUmJAe1MKc)
 22. [CrowdSec Docker Compose – Bulletproof IPS for Homelabs](https://www.simplehomelab.com/udms-22-crowdsec-docker-compose/)
 23. [Setting up Crowdsec Cloudflare Bouncer](https://www.simplehomelab.com/udms-23-crowdsec-cloudflare-bouncer/)
 24. [Setting up Crowdsec Traefik Bouncer](https://www.simplehomelab.com/udms-24-crowdsec-traefik-bouncer/)
 
@@ -1,7 +1,7 @@
 ###############################################################
 #                   Authelia configuration                    #
 ###############################################################
-
+ 
 server:
   address: tcp://0.0.0.0:9091/
   buffers:
@@ -14,29 +14,22 @@ server:
   tls:
     key: ""
     certificate: ""
-
+ 
 # https://www.authelia.com/configuration/miscellaneous/logging/
 log:
   level: info
   format: text
   file_path: /config/authelia.log
   keep_stdout: true
-
+ 
 # https://www.authelia.com/configuration/second-factor/time-based-one-time-password/
 totp:
   issuer: example.com
   period: 30
   skew: 1
-
+ 
 # AUTHELIA_DUO_PLACEHOLDER
-# Enable the following for Duo Push Notification support
-# https://www.authelia.com/docs/features/2fa/push-notifications.html
-#duo_api:
-#  hostname: api-123456789.example.com
-#  integration_key: ABCDEF
-#  # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
-#  secret_key: # use docker secret file instead AUTHELIA_DUO_API_SECRET_KEY_FILE
-
+ 
 # https://www.authelia.com/reference/guides/passwords/
 authentication_backend:
   password_reset:
@@ -50,7 +43,7 @@ authentication_backend:
       salt_length: 16
       parallelism: 8
       memory: 256 # blocks this much of the RAM
-
+ 
 # https://www.authelia.com/overview/authorization/access-control/
 access_control:
   default_policy: deny
@@ -67,7 +60,7 @@ access_control:
         - "*.example.com"
         - "example.com"
       policy: two_factor
-
+ 
 # https://www.authelia.com/configuration/session/introduction/
 session:
   name: authelia_session
@@ -80,47 +73,23 @@ session:
       authelia_url: 'https://authelia.example.com'
       default_redirection_url: 'https://example.com'
   # AUTHELIA_REDIS_PLACEHOLDER
-  # Optional. Can improve performance on a busy system. If not enabled, session info is stored in memory.
-  # redis:
-  #   host: redis
-  #   port: 6379
-  #   This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
-  #   password: REDIS_PASSWORD
-
-
+ 
 # https://www.authelia.com/configuration/security/regulation/
 regulation:
   max_retries: 3
   find_time: 10m
   ban_time: 12h
-  
+   
 # https://www.authelia.com/configuration/storage/introduction/
 storage:
   # For local storage, uncomment lines below and comment out mysql. https://docs.authelia.com/configuration/storage/sqlite.html
   # This is good for the beginning. If you have a busy site then switch to other databases.
   local:
    path: /config/db.sqlite3
-  # mysql:
-  #   # https://www.authelia.com/configuration/storage/mysql/
-  #   # MySQL allows running multiple authelia instances. Create database and enter details below.
-  #   address: 'tcp://127.0.0.1:3306'
-  #   port: 3306
-  #   database: authelia
-  #   username: DBUSERNAME
-  #   # Password can also be set using a secret: https://www.authelia.com/configuration/methods/secrets/#environment-variables
-  #   # password: DBPASSWORD
-  # encryption_key: 'a_very_important_secret' # Can also be set using a secret: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE 
-
+ 
 # https://www.authelia.com/configuration/notifications/introduction/
 notifier:
   disable_startup_check: false
   # For testing purposes, notifications can be sent in a file. Be sure to map the volume in docker-compose.
   filesystem:
-    filename: /config/notifications.txt
-  # smtp:
-  #   username: SMTP_USERNAME
-  #   # This secret can also be set using secret: https://www.authelia.com/configuration/methods/secrets/#environment-variables
-  #   # password: SMTP_PASSWORD 
-  #   host: SMTP_HOST
-  #   port: 587 #465
-  #   sender: SENDER_EMAIL
+    filename: /config/notifications.txt
@@ -5,7 +5,8 @@
 # This file can be used if you do not have an LDAP set up.
 
 # CREATE NEW HASHED PASSWORD
-# sudo docker run -it authelia/authelia:latest authelia crypto hash generate argon2 --password 'STRONG_PASSWORD'
+# sudo docker run -v /home/user/docker/appdata/authelia/configuration.yml:/configuration.yml -it authelia/authelia:4.39.4 authelia crypto hash generate --config /configuration.yml --password MYSTRONGPASSWORD
+
 # https://www.authelia.com/reference/guides/passwords/
 
 # List of users
 
@@ -0,0 +1,8 @@
+# EasyEngine (ee) protect locations using
+# HTTP authentication || IP address
+satisfy any;
+auth_basic "Restricted Area";
+auth_basic_user_file /var/run/secrets/htpasswd;
+# Allowed IP Address List
+allow 127.0.0.1;
+deny all;
@@ -0,0 +1,21 @@
+# Deny Access for comments to No Referrer Requests - spam protection
+location ~* (wp-comments-post)\.php$ {
+	if ($http_cookie !~* "_gat"){
+		return 405;
+	}
+	if ($http_referer !~ ^(simplehomelab.com|www.simplehomelab.com) )           {
+	      return 405;
+           }
+}
+
+#Return 410 for the 404s for spammy backlinks
+#http://webmasters.stackexchange.com/questions/84317/help-to-remove-spam-links-leading-to-404-page
+#http://serverfault.com/questions/646154/return-error-410-for-location-regex-in-nginx?rq=1
+location = / {
+        if ($query_string ~ ^p=1459955773) {
+                return 410;
+        }
+        if ($query_string ~ ^p=1461920860) {
+                return 410;
+        }        
+}