✨ docker secrets

.gitignore

@@ -1,5 +1,7 @@
 # Secrets
 .env
+secrets/
+
 # Media Center
 media-center/heimdall/config/
 media-center/jackett/config/

README.md

@@ -46,8 +46,12 @@ everything.
 
 ```text
 .
+├── .env                                    # Environment Variables and Configuration
 ├── docker-compose.yaml                     # Main Docker Compose File
 ├── Makefile                                # Makefile for common tasks and docker compose wrappers
+├── secrets                                 # Secret Files
+│   ├── cloudflare_api_key.secret           # Cloudflare API Key
+│   └── google_oauth.secret                 # Google OAuth Credentials and Whitelist
 ├── media-center
 │   ├── docker-compose.yaml                 # Media-Center Stack Docker Compose File (Plex, Sonarr, etc.)
 │   ├── plex                                # Each individual service has its own subdirectory
@@ -65,18 +69,22 @@ everything.
 │           ├── middlewares-chains.yml      # Traefik Middlewares Chains
 │           ├── middlewares.yml             # Traefik Middlewares
 │           └── tls-opts.yml                # Traefik TLS Options
-├── miscellaneous                           # Non Media Center Services (pihole, chat-gpt-next-web, etc.)
-│   ├── chat-gpt-next-web
-│   │   └── docker-compose.yaml
-│   └── docker-compose.yaml                 # Miscellaneous Stack Docker Compose File
-└── README.md
+└── miscellaneous                           # Non Media Center Services (pihole, chat-gpt-next-web, etc.)
+    ├── chat-gpt-next-web
+    │   └── docker-compose.yaml
+    └── docker-compose.yaml                 # Miscellaneous Stack Docker Compose File
 ```
 
 ### Configuration
 
-All services are configured via a singular `.env` file at the root of the project.
-This file is used to define environment variables that are used in various `docker-compose.yaml`
-files - there is a template available at [example.env](docs/example.env).
+All services are configured via a `.env` file at the root of the project and a few secret
+files in the `secrets` directory. These files are used to define settings and credentials
+for all services that are deployed. You can copy the example files to get started:
+
+```shell
+cp docs/example.env .env
+cp -r docs/example-secrets/ secrets/
+```
 
 See the [docs](https://juftin.github.io/homelab/) for more information on configuration and
 getting started.

docker-compose.yaml

@@ -12,7 +12,7 @@ include:
     - miscellaneous/docker-compose.yaml
 
 ####################################
-# NETWORKS CONFIGURATION
+# CONFIGURATION
 ####################################
 
 networks:

docs/config.md

@@ -49,9 +49,17 @@ in the `media-center/docker-compose.yaml` file.
 
 ## App Configuration
 
-All services are configured via a singular `.env` file at the root of the project.
-This file is used to define environment variables that are used in various `docker-compose.yaml`
-files - there is a template available at [example.env](example.env).
+These project makes use of a few configuration files to make it easier to manage:
+
+```shell
+cp docs/example.env .env
+cp -r docs/example-secrets/ secrets/
+```
+
+-   `.env` - Environment variables that are used by the `docker-compose.yaml` files
+-   `secrets/google_oauth.secret` - The Google OAuth API credentials and user whitelist
+-   `secrets/cloudflare_api_key.secret` - The CloudFlare API key (singular, plaintext key)
+-   `secrets/admin_password.secret` - The password for the `admin` user in the `pi-hole` service (singular, plaintext key)
 
 <details><summary>📄 .env</summary>
 <p>
@@ -62,3 +70,34 @@ files - there is a template available at [example.env](example.env).
 
 </p>
 </details>
+
+<details><summary>📄 secrets/google_oauth.secret</summary>
+<p>
+
+```shell
+--8<-- "docs/example-secrets/google_oauth.secret"
+```
+
+</p>
+
+</details>
+
+<details><summary>📄 secrets/cloudflare_api_key.secret</summary>
+<p>
+
+```shell
+--8<-- "docs/example-secrets/cloudflare_api_key.secret"
+```
+
+</p>
+</details>
+
+<details><summary>📄 secrets/admin_password.secret</summary>
+<p>
+
+```shell
+--8<-- "docs/example-secrets/admin_password.secret"
+```
+
+</p>
+</details>

docs/example-secrets/admin_password.secret

@@ -0,0 +1 @@
+password1234

docs/example-secrets/cloudflare_api_key.secret

@@ -0,0 +1 @@
+xxxxxxxx-xxxxxxxxxxxxx-xxxxxxxxxx

docs/example-secrets/google_oauth.secret

@@ -0,0 +1,6 @@
+providers.google.client-id=GoogleClientID
+providers.google.client-secret=GoogleClientSecret
+secret=RandomSecretString
+whitelist=you@gmail.com
+whitelist=another@gmail.com
+whitelist=yet-another@gmail.com

docs/example.env

@@ -1,64 +1,63 @@
 ################################################################################
 # ENVIRONMENT SETUP
+#
+# * commented out lines are the default
 ################################################################################
 
 DOMAIN_NAME="example.com"
-
-ADMIN_USER="XXXXXXXXXXXXXX"
-ADMIN_PASSWORD="XXXXXXXXXXXXXX"
-# GENERATE ADMIN_HTPASSWD: docker run --rm httpd:2.4-alpine htpasswd -nbB admin <ADMIN_PASSWORD> | cut -d ":" -f 2
-ADMIN_HTPASSWD="$2y$05$XXXXXXXXXXXXXX"
+ADMIN_USER="admin"
 
 TZ="America/Denver"
-TZ_7="MST7MDT"
-# USE `id` command to retrieve PUID and GUID
-PUID="1000"
-PGID="1000"
+PUID="1000" # id -u
+PGID="1000" # id -g
 
-UNIVERSAL_RESTART_POLICY="unless-stopped"
+# UNIVERSAL_RESTART_POLICY="unless-stopped"
 
-################################################################################
+##################################################################
 # DIRECTORY SETUP
-################################################################################
-
-DOCKER_DIRECTORY="/home/user/docker/homelab"
-TRAEFIK_DIRECTORY="/home/user/docker/homelab/traefik"
-MEDIA_CENTER_DIRECTORY="/home/user/docker/homelab/media-center"
-MISCELLANEOUS_DIRECTORY="/home/user/docker/homelab/miscellaneous"
+#
+# * You must customize these paths to match your own setup
+# * For my personal setup, I have a NAS mounted at /media/storage
+##################################################################
 
-COMPLETED_DOWNLOADS="/media/nas/downloads"
-INCOMPLETE_DOWNLOADS="/home/user/media/torrents"
-MOVIE_DIR="/media/nas/plex/movies"
-TV_DIR="/media/nas/plex/tv_shows"
-BOOKS_DIR="/media/nas/books"
-PLEX_TRANSCODE_DIR="/home/user/plex/transcode"
+DOCKER_DIRECTORY="/path/to/this/repo"
 
-SHARED_DIRECTORY="/home/user/docker"
-SHARED_DIRECTORY_NAME="docker"
+COMPLETED_DOWNLOADS="/media/storage/downloads"
+INCOMPLETE_DOWNLOADS="/downloads/incomplete"
+MOVIE_DIR="/media/storage/movies"
+TV_DIR="/media/storage/tv"
+BOOKS_DIR="/media/storage/books"
+# PLEX_TRANSCODE_DIR="/tmp"
 
-################################################################################
+##################################################################
 # NETWORKING VARIABLES
-################################################################################
+#
+# * You must customize these variables to match your own setup
+# * These are the default values for my local network
+##################################################################
 
-PHYSICAL_SERVER_IP="192.168.1.55" # LOCAL IP ADDRESS OF THE SERVER
-PHYSICAL_SERVER_NETWORK="192.168.1.0/24" # USING MY CONFIGURATION AS EXAMPLE
-PHYSICAL_SERVER_GATEWAY="192.168.1.1"
+PHYSICAL_SERVER_IP="192.168.1.55" # ip route get 1 | awk '{print $7}')
+PHYSICAL_SERVER_NETWORK="192.168.1.0/24"
 
-################################################################################
-# VPN VARIABLES, OAUTH, DUCKDNS, CLOUDFLARE
-################################################################################
+DUCKDNS_TOKEN=XXXXXX-XXX-XXXXX-XXXXX
+DUCKDNS_SUBDOMAIN=example
+CLOUDFLARE_EMAIL=example@gmail.com
+
+##################################################################
+# APP VARIABLES
+##################################################################
 
+### TRANSMISSION (VPN + TORRENTS) ###
 OPENVPN_PROVIDER=NORDVPN
 OPENVPN_USERNAME=example@gmail.com
 OPENVPN_PASSWORD=XXXXXXXXXXXXXX
 
-DUCKDNS_TOKEN=XXXXXX-XXX-XXXXX-XXXXX
-DUCKDNS_SUBDOMAIN=example
+### PLEX (CLAIM TOKEN) ###
+PLEX_CLAIM=XXXXXXXXXXXXXX
 
-GOOGLE_CLIENT_ID=XXXXXXXXXXXXX-XXXXXXXXXXXXXXXXX.apps.googleusercontent.com
-GOOGLE_CLIENT_SECRET=XXXXXXXXXXXXXX
-OAUTH_SECRET=RANDOM_STRING_OF_CHARACTERS
-OAUTH_WHITELIST=example@gmail.com,user_1@gmail.com,user_2@gmail.com
-
-CLOUDFLARE_EMAIL=example@gmail.com
-CLOUDFLARE_API_KEY=XXXXXXXXXXXXX
+### OPENAI (NEXT-WEB + SLACK BOT) ###
+OPENAI_API_KEY="sk-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+# OPENAI_MODEL="gpt-4-turbo-preview"
+SLACK_BOT_TOKEN=xoxb-XXXXXXXXXXX-XXXXXXXXXXX-XXXXXXXXXXX
+SLACK_APP_TOKEN=xapp-1-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
+# SLACK_APP_LOG_LEVEL="INFO"

docs/index.md

@@ -44,8 +44,12 @@ everything.
 
 ```text
 .
+├── .env                                    # Environment Variables and Configuration
 ├── docker-compose.yaml                     # Main Docker Compose File
 ├── Makefile                                # Makefile for common tasks and docker compose wrappers
+├── secrets                                 # Secret Files
+│   ├── cloudflare_api_key.secret           # Cloudflare API Key
+│   └── google_oauth.secret                 # Google OAuth Credentials and Whitelist
 ├── media-center
 │   ├── docker-compose.yaml                 # Media-Center Stack Docker Compose File (Plex, Sonarr, etc.)
 │   ├── plex                                # Each individual service has its own subdirectory
@@ -63,11 +67,10 @@ everything.
 │           ├── middlewares-chains.yml      # Traefik Middlewares Chains
 │           ├── middlewares.yml             # Traefik Middlewares
 │           └── tls-opts.yml                # Traefik TLS Options
-├── miscellaneous                           # Non Media Center Services (pihole, chat-gpt-next-web, etc.)
-│   ├── chat-gpt-next-web
-│   │   └── docker-compose.yaml
-│   └── docker-compose.yaml                 # Miscellaneous Stack Docker Compose File
-└── README.md
+└── miscellaneous                           # Non Media Center Services (pihole, chat-gpt-next-web, etc.)
+    ├── chat-gpt-next-web
+    │   └── docker-compose.yaml
+    └── docker-compose.yaml                 # Miscellaneous Stack Docker Compose File
 ```
 
 [traefik]: https://github.com/traefik/traefik

docs/traefik.md

@@ -61,13 +61,9 @@ provide CloudFlare with the DuckDNS subdomain to point to your server.
 
 #### .env
 
-The [`example.env`](example.env) file can be modified and renamed `.env` in order
-for the containers to be build properly. This is the entire configuration file for
-all applications. All relevant hints can be found within.
-
-```shell
-cp docs/example.env .env
-```
+The `.env` needs to be modified in order for the containers to be build
+properly. This is the entire configuration file for all applications.
+All relevant hints can be found within.
 
 <details><summary>📄 .env</summary>
 <p>

media-center/calibre-web/docker-compose.yaml

@@ -8,9 +8,9 @@ services:
         image: lscr.io/linuxserver/calibre-web:latest
         hostname: ${CALIBRE_WEB_SUBDOMAIN:-calibre-web}
         volumes:
-            - ${MEDIA_CENTER_DIRECTORY}/calibre-web/config:/config
+            - ${DOCKER_DIRECTORY}/media-center/calibre-web/config:/config
             - ${BOOKS_DIR}:/books
-            - ${MEDIA_CENTER_DIRECTORY}/calibre/config:/calibre-config
+            - ${DOCKER_DIRECTORY}/media-center/calibre/config:/calibre-config
         environment:
             PUID: ${PUID}
             PGID: ${PGID}
@@ -19,7 +19,7 @@ services:
             OAUTHLIB_RELAX_TOKEN_SCOPE: 1
         security_opt:
             - no-new-privileges:true
-        restart: unless-stopped
+        restart: ${UNIVERSAL_RESTART_POLICY:-unless-stopped}
         platform: ${DOCKER_PLATFORM:-linux/amd64}
         networks:
             traefik:

media-center/calibre/docker-compose.yaml

@@ -8,7 +8,7 @@ services:
         image: lscr.io/linuxserver/calibre:latest
         hostname: ${CALIBRE_SUBDOMAIN:-calibre}
         volumes:
-            - ${MEDIA_CENTER_DIRECTORY}/calibre/config:/config
+            - ${DOCKER_DIRECTORY}/media-center/calibre/config:/config
             - ${BOOKS_DIR}:/books
             - ${COMPLETED_DOWNLOADS}:/downloads
         environment:
@@ -17,7 +17,7 @@ services:
             TZ: ${TZ}
         security_opt:
             - no-new-privileges:true
-        restart: unless-stopped
+        restart: ${UNIVERSAL_RESTART_POLICY:-unless-stopped}
         platform: ${DOCKER_PLATFORM:-linux/amd64}
         networks:
             traefik:

media-center/heimdall/docker-compose.yaml

@@ -7,14 +7,14 @@ services:
         container_name: heimdall
         image: lscr.io/linuxserver/heimdall:latest
         volumes:
-            - ${MEDIA_CENTER_DIRECTORY}/heimdall/config:/config
+            - ${DOCKER_DIRECTORY}/media-center/heimdall/config:/config
         environment:
             PUID: ${PUID}
             PGID: ${PGID}
             TZ: ${TZ}
         security_opt:
             - no-new-privileges:true
-        restart: unless-stopped
+        restart: ${UNIVERSAL_RESTART_POLICY:-unless-stopped}
         platform: ${DOCKER_PLATFORM:-linux/amd64}
         networks:
             traefik:

media-center/nzbget/docker-compose.yaml

@@ -8,15 +8,15 @@ services:
         image: lscr.io/linuxserver/nzbget:latest
         hostname: ${NZGGET_DOMAIN:-nzbget}.${DOMAIN_NAME}
         volumes:
-            - ${MEDIA_CENTER_DIRECTORY}/nzbget/config:/config
+            - ${DOCKER_DIRECTORY}/media-center/nzbget/config:/config
             - ${COMPLETED_DOWNLOADS}:/downloads/completed
         environment:
             PUID: ${PUID}
             PGID: ${PGID}
             TZ: ${TZ}
         security_opt:
             - no-new-privileges:true
-        restart: unless-stopped
+        restart: ${UNIVERSAL_RESTART_POLICY:-unless-stopped}
         platform: ${DOCKER_PLATFORM:-linux/amd64}
         networks:
             traefik:

media-center/ombi/docker-compose.yaml

@@ -12,10 +12,10 @@ services:
             PGID: ${PGID}
             TZ: ${TZ}
         volumes:
-            - ${MEDIA_CENTER_DIRECTORY}/ombi/config:/config
+            - ${DOCKER_DIRECTORY}/media-center/ombi/config:/config
         security_opt:
             - no-new-privileges:true
-        restart: unless-stopped
+        restart: ${UNIVERSAL_RESTART_POLICY:-unless-stopped}
         platform: ${DOCKER_PLATFORM:-linux/amd64}
         networks:
             traefik:

media-center/plex/docker-compose.yaml

@@ -8,11 +8,11 @@ services:
         image: lscr.io/linuxserver/plex:latest
         network_mode: host
         volumes:
-            - ${MEDIA_CENTER_DIRECTORY}/plex/config:/config
+            - ${DOCKER_DIRECTORY}/media-center/plex/config:/config
             - ${TV_DIR}:/tv
             - ${MOVIE_DIR}:/movies
-            - ${MEDIA_CENTER_DIRECTORY}/shared:/shared
-            - /tmp:/transcode
+            - ${DOCKER_DIRECTORY}/media-center/shared:/shared
+            - ${PLEX_TRANSCODE_DIR:-/tmp}:/transcode
             - ${BOOKS_DIR}:/books
         devices:
             - /dev/dri:/dev/dri
@@ -23,4 +23,4 @@ services:
             TZ: ${TZ}
             VERSION: docker
             PLEX_CLAIM: ${PLEX_CLAIM}
-        restart: ${UNIVERSAL_RESTART_POLICY}
+        restart: ${UNIVERSAL_RESTART_POLICY:-unless-stopped}