Move services to a service folder

services/.gitignore

@@ -0,0 +1,4 @@
+*/secrets/*
+!*/secrets/.gitkeep
+*/volumes/*/*
+!*/volumes/*/.gitkeep

services/authentication/configs/access.yml

@@ -0,0 +1,47 @@
+##
+## Access Control Configuration
+##
+## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
+##
+## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
+## to anyone. Otherwise restrictions follow the rules defined.
+##
+## Note: One can use the wildcard * to match any subdomain.
+## It must stand at the beginning of the pattern. (example: *.example.com)
+##
+## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
+##
+## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
+##
+## - 'domain' defines which domain or set of domains the rule applies to.
+##
+## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
+##    provided. If provided, the parameter represents either a user or a group. It should be of the form
+##    'user:<username>' or 'group:<groupname>'.
+##
+## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
+##
+## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
+##   is optional and matches any resource if not provided.
+##
+## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
+access_control:
+  default_policy: deny
+  rules:
+    # Support for one factor for transmission API
+    # Only users in "transmission-basic" should be allowed to do so
+    - domain_regex: '^transmission-api\..*'
+      policy: one_factor
+      subject:
+        - 'group:transmission-basic'
+    # Disable authentication on API protected by API keys
+    - domain_regex: '^(bazarr|prowlarr|radarr|sonarr)\..*'
+      policy: bypass
+      resources:
+        - '^/api$'
+        - '^/api/'
+    # Effective default policy, only allow admins with two-factor
+    - domain_regex: '.*'
+      policy: two_factor
+      subject:
+        - 'group:admins'

services/authentication/configs/authentication.yml

@@ -0,0 +1,32 @@
+##
+## Authentication Backend Provider Configuration
+##
+## Used for verifying user passwords and retrieve information such as email address and groups users belong to.
+##
+## The available providers are: `file`, `ldap`. You must use only one of these providers.
+authentication_backend:
+  ##
+  ## File (Authentication Provider)
+  ##
+  ## With this backend, the users database is stored in a file which is updated when users reset their passwords.
+  ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia
+  ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security
+  ## implications it is highly recommended you leave the default values. Before considering changing these settings
+  ## please read the docs page below:
+  ## https://www.authelia.com/r/passwords#tuning
+  ##
+  ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
+  ##
+  file:
+    path: /config/users_database.yml
+    watch: true
+
+##
+## Password Policy Configuration.
+##
+password_policy:
+  ## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings.
+  zxcvbn:
+    enabled: true
+    ## Configures the minimum score allowed.
+    min_score: 4

services/authentication/configs/configuration.yml

@@ -0,0 +1,21 @@
+## Note: the container by default expects to find this file at /config/configuration.yml.
+
+## The theme to display: light, dark, grey, auto.
+theme: auto
+
+##
+## Storage Provider Configuration
+##
+## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
+storage:
+  ##
+  ## Local (Storage Provider)
+  ##
+  ## This stores the data in a SQLite3 Database.
+  ## This is only recommended for lightweight non-stateful installations.
+  ##
+  ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
+  ##
+  local:
+    ## Path to the SQLite3 Database.
+    path: /config/db.sqlite3

services/authentication/docker-compose.yml

@@ -0,0 +1,63 @@
+name: Authentication
+
+services:
+  authelia:
+    image: authelia/authelia
+    command: --config /etc/authelia/configuration.yml,/etc/authelia/access.yml,/etc/authelia/authentication.yml
+    environment:
+      PUID: ${NASCOMPOSE_UID?}
+      PGID: ${NASCOMPOSE_GID?}
+      AUTHELIA_SESSION_DOMAIN: ${NASCOMPOSE_AUTHELIA_DOMAIN?} # Will be deprecated with newer versions of Authelia, which will support multiple domains
+      AUTHELIA_DEFAULT_REDIRECTION_URL: "https://heimdall.${NASCOMPOSE_AUTHELIA_DOMAIN?}"
+      AUTHELIA_JWT_SECRET_FILE: /run/secrets/jwt_secret
+      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/storage_key
+      AUTHELIA_NOTIFIER_SMTP_HOST: ${NASCOMPOSE_AUTHELIA_SMTP_HOST?}
+      AUTHELIA_NOTIFIER_SMTP_PORT: ${NASCOMPOSE_AUTHELIA_SMTP_PORT?}
+      AUTHELIA_NOTIFIER_SMTP_USERNAME: ${NASCOMPOSE_AUTHELIA_SMTP_USERNAME?}
+      AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/smtp_password
+      AUTHELIA_NOTIFIER_SMTP_SENDER: ${NASCOMPOSE_AUTHELIA_SMTP_SENDER?}
+    networks:
+      - reverse-proxy
+    volumes:
+      - config:/config
+    configs:
+      - source: authelia_configuration
+        target: /etc/authelia/configuration.yml
+      - source: authelia_access
+        target: /etc/authelia/access.yml
+      - source: authelia_authentication
+        target: /etc/authelia/authentication.yml
+    secrets:
+      - jwt_secret
+      - storage_key
+      - smtp_password
+    restart: unless-stopped
+    labels:
+      traefik.enable: true
+
+networks:
+  reverse-proxy:
+    external: true
+
+volumes:
+  config:
+    driver_opts:
+      type: none
+      o: bind
+      device: ${NASCOMPOSE_SERVICES?}/authentication/volumes/authelia_config/
+
+configs:
+  authelia_configuration:
+    file: ${NASCOMPOSE_SERVICES?}/authentication/configs/configuration.yml
+  authelia_access:
+    file: ${NASCOMPOSE_SERVICES?}/authentication/configs/access.yml
+  authelia_authentication:
+    file: ${NASCOMPOSE_SERVICES?}/authentication/configs/authentication.yml
+
+secrets:
+  jwt_secret:
+    file: ${NASCOMPOSE_SERVICES?}/authentication/secrets/jwt_secret
+  storage_key:
+    file: ${NASCOMPOSE_SERVICES?}/authentication/secrets/storage_key
+  smtp_password:
+    file: ${NASCOMPOSE_SERVICES?}/authentication/secrets/smtp_password

services/bootstrap/README.md

@@ -0,0 +1,82 @@
+# Bootstrap
+
+Set up a MacVLAN network
+
+As an example, with the following network setup:
+- interface to LAN: `bond0`
+- Complete LAN subnet: `192.168.0.0/23`
+- LAN gateway: `192.168.0.1`
+- DHCP range: `192.168.0.0/24` (excluding gateway)
+- MacVLAN interface name: `macvlan0` (user defined)
+- MacVLAN range: `192.168.1.0/24` (should be outside of DHCP range)
+- MacVLAN host IP: `192.168.1.1` (should be in the MacVLAN range)
+
+```
+ip link add macvlan0 link bond0 type macvlan mode bridge
+ip addr add 192.168.1.0/32 dev macvlan0
+ip link set macvlan0 up
+ip route add 192.168.1.0/24 dev macvlan0
+```
+
+Run portainer once
+```
+docker run --rm -p 9443:9443 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ce:latest
+```
+
+### Environment variables
+- `NASCOMPOSE_SERVICES`: Absolute path to the `services` folder
+
+## Docker
+[`alpine/socat`](https://hub.docker.com/r/alpine/socat/) exposes the docker socket as a port.
+
+### 🌐 Ports
+- `2375 TCP`: Docker API
+
+### 📂 Volumes
+- `/var/run/docker.sock`: Socket file from host mounted as it to be exposed.
+
+### 📒 Documentation
+- [socat](https://linux.die.net/man/1/socat) manual
+
+## Traefik
+[`traefik`](https://hub.docker.com/_/traefik) is a reverse proxy for docker services.
+
+### 🌐 Ports
+- `80 TCP`: HTTP access. Should always redirect to HTTPs
+- `443 TCP`: HTTPs access
+
+### 📂 Volumes
+- `traefik_dynamic_config`: Folder containing the dynamic configuration for `File` provider. See [traefik documentation](https://doc.traefik.io/traefik/providers/file/).
+
+### 📝 Configs
+- `traefik_config`: Static configuration from `File` provider. See [traefik documentation](https://doc.traefik.io/traefik/providers/file/).
+
+### 🔒 Secrets
+- `traefik_password`: Basic Auth username/password to access Traefik. Encoded using htpasswd (or [equivalent](https://hostingcanada.org/htpasswd-generator/)), use BCrypt at least.
+- `traefik_tls_cert`: Self-signed certificate for Traefik. Particularly useful in development to avoid generating new certificates on each restart.
+- `traefik_tls_key`: Self-signed private key for Traefik. Used with `traefik_tls_cert`.
+
+### 📒 Documentation
+- [Traefik](https://doc.traefik.io/) official documentation
+
+## Portainer
+[`portainer/portainer-ce`](https://hub.docker.com/r/portainer/portainer-ce) is a docker instance manager.
+Useful to manage the stacks/docker-compose configuration for the NAS.
+
+Set up to use the port exposed via the `Docker` container. It displays information about all docker resources available on the host. \
+It excludes all resources with the tag `nas-compose.boostrap: true`.
+
+Each compose file (except the `bootstrap.docker-compose.yaml`) need to be added as a [stack](https://docs.portainer.io/user/docker/stacks/add), with the right environment variables set.
+
+
+### 🌐 Ports
+- `9443 TCP`: HTTPs (self-signed) access to the web interface
+
+### 📂 Volumes
+- ⚠️ `portainer_data`: All configuration and application data related to portainer. **It contains sensitive files**
+
+### 🔒 Secrets
+- `portainer_password`: Admin default admin's password
+
+### 📒 Documentation
+- [Portainer](https://docs.portainer.io/) official documentation

services/bootstrap/docker-compose.local.yml

@@ -0,0 +1,4 @@
+services:
+  portainer:
+    ports:
+      - 9443:9443

services/bootstrap/docker-compose.macvlan.yml

@@ -0,0 +1,21 @@
+services:
+  portainer:
+    networks:
+      macvlan:
+        ipv4_address: ${NASCOMPOSE_MACVLAN_PORTAINER_IP?}
+
+networks:
+  macvlan:
+    name: macvlan
+    driver: macvlan
+    driver_opts:
+      parent: ${NASCOMPOSE_MACVLAN_IFACE?}
+    ipam:
+      config:
+        - subnet: ${NASCOMPOSE_MACVLAN_SUBNET?}
+          gateway: ${NASCOMPOSE_MACVLAN_GATEWAY?}
+          ip_range: ${NASCOMPOSE_MACVLAN_RANGE?}
+          aux_addresses:
+            nas: ${NASCOMPOSE_MACVLAN_HOST_IP?}
+    labels:
+      nas-compose.boostrap: true

services/bootstrap/docker-compose.yml

@@ -0,0 +1,51 @@
+name: Bootstrap
+
+services:
+  docker:
+    image: alpine/socat
+    command: tcp-listen:2375,fork,reuseaddr unix-connect:/var/run/docker.sock
+    networks:
+      - docker
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    restart: unless-stopped
+    labels:
+      nas-compose.boostrap: true
+
+  portainer:
+    image: portainer/portainer-ce
+    command: >
+      --host tcp://docker:2375
+      --hide-label nas-compose.boostrap=true
+      --admin-password-file /run/secrets/portainer_password
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    networks:
+      - docker
+    volumes:
+      - portainer_data:/data/
+    secrets:
+      - portainer_password
+    depends_on:
+      - docker
+    restart: unless-stopped
+    labels:
+      nas-compose.boostrap: true
+
+networks:
+  docker:
+    name: docker
+    labels:
+      nas-compose.boostrap: true
+
+volumes:
+  portainer_data:
+    driver_opts:
+      type: none
+      o: bind
+      device: ${NASCOMPOSE_SERVICES?}/bootstrap/volumes/portainer_data/
+    labels:
+      nas-compose.boostrap: true
+
+secrets:
+  portainer_password:
+    file: ${NASCOMPOSE_SERVICES?}/bootstrap/secrets/portainer_password

services/docker-monitoring/docker-compose.yml

@@ -0,0 +1,24 @@
+name: Docker monitoring
+
+services:
+  watchtower:
+    image: containrrr/watchtower
+    environment:
+      DOCKER_HOST: tcp://docker:2375
+      WATCHTOWER_INCLUDE_RESTARTING: true
+      WATCHTOWER_INCLUDE_STOPPED: true
+      WATCHTOWER_MONITOR_ONLY: true
+      WATCHTOWER_NOTIFICATION_URL: /run/secrets/watchtower_notification_url
+    networks:
+      - docker
+    secrets:
+      - watchtower_notification_url
+    restart: unless-stopped
+
+networks:
+  docker:
+    external: true
+
+secrets:
+  watchtower_notification_url:
+    file: ${NASCOMPOSE_SERVICES?}/docker-monitoring/secrets/notification_url

services/dynamic-dns/docker-compose.yml

@@ -0,0 +1,15 @@
+name: Dynamic DNS
+
+services:
+  duckdns:
+    image: linuxserver/duckdns
+    environment:
+      - SUBDOMAINS=${NASCOMPOSE_DUCKDNS_DOMAIN?}
+      - FILE__TOKEN=/run/secrets/duckdns_token
+    secrets:
+      - duckdns_token
+    restart: unless-stopped
+
+secrets:
+  duckdns_token:
+    file: ${NASCOMPOSE_SERVICES?}/dynamic-dns/secrets/duckdns_token

services/indexer/docker-compose.yml

@@ -0,0 +1,46 @@
+name: Indexer
+
+services:
+  prowlarr:
+    image: linuxserver/prowlarr
+    environment:
+      PUID: ${NASCOMPOSE_UID?}
+      PGID: ${NASCOMPOSE_GID?}
+    networks:
+      - reverse-proxy
+      - default
+      - indexer
+      - torrents
+      - usenet
+    dns:
+      # Work around DNS blocks in various regions
+      - 1.1.1.1
+      - 1.0.0.1
+    volumes:
+      - prowlarr_config:/config/
+    restart: unless-stopped
+    labels:
+      traefik.enable: true
+      traefik.http.routers.prowlarr.middlewares: authelia@file
+
+  flaresolverr:
+    image: flaresolverr/flaresolverr
+    restart: unless-stopped
+
+networks:
+  indexer:
+    name: indexer
+
+  reverse-proxy:
+    external: true
+  torrents:
+    external: true
+  usenet:
+    external: true
+
+volumes:
+  prowlarr_config:
+    driver_opts:
+      type: none
+      o: bind
+      device: ${NASCOMPOSE_SERVICES?}/indexer/volumes/prowlarr_config/

services/media-player/docker-compose.hwaccl.yml

@@ -0,0 +1,4 @@
+services:
+  plex:
+    devices:
+      - /dev/dri:/dev/dri

services/media-player/docker-compose.local.yml

@@ -0,0 +1,4 @@
+services:
+  portainer:
+    ports:
+      - 32400:32400

services/media-player/docker-compose.macvlan.yml

@@ -0,0 +1,9 @@
+services:
+  plex:
+    networks:
+      macvlan:
+        ipv4_address: ${NASCOMPOSE_MACVLAN_PLEX_IP?}
+
+networks:
+  macvlan:
+    external: true

services/media-player/docker-compose.yml

@@ -0,0 +1,48 @@
+name: Media-Player
+
+services:
+  plex:
+    image: plexinc/pms-docker:plexpass
+    environment:
+      PLEX_UID: ${NASCOMPOSE_UID?}
+      PLEX_GID: ${NASCOMPOSE_GID?}
+    networks:
+      - reverse-proxy
+      - scrobbler
+    volumes:
+      - plex_transcode:/transcode/
+      - plex_config:/config/
+      - tv:/data/tv/
+      - movies:/data/movies/
+    restart: unless-stopped
+    labels:
+      traefik.enable: true
+      traefik.http.services.plex.loadbalancer.server.port: 32400
+      traefik.http.services.plex.loadbalancer.server.scheme: https
+
+networks:
+  reverse-proxy:
+    external: true
+  scrobbler:
+    external: true
+
+volumes:
+  movies:
+    name: movies
+    driver_opts:
+      type: none
+      o: bind
+      device: ${NASCOMPOSE_DATA?}/media/movies/
+  tv:
+    name: tv
+    driver_opts:
+      type: none
+      o: bind
+      device: ${NASCOMPOSE_DATA?}/media/tv/
+
+  plex_transcode:
+  plex_config:
+    driver_opts:
+      type: none
+      o: bind
+      device: ${NASCOMPOSE_SERVICES?}/volumes/plex/config/

services/network-monitoring/docker-compose.yml

@@ -0,0 +1,33 @@
+name: Network monitoring
+
+services:
+  smokeping:
+    image: linuxserver/smokeping
+    environment:
+      PUID: ${NASCOMPOSE_UID?}
+      PGID: ${NASCOMPOSE_GID?}
+    networks:
+      - reverse-proxy
+    volumes:
+      - smokeping_data:/data/
+      - smokeping_config:/config/
+    restart: unless-stopped
+    labels:
+      traefik.enable: true
+      traefik.http.routers.smokeping.middlewares: authelia@file
+
+networks:
+  reverse-proxy:
+    external: true
+
+volumes:
+  smokeping_data:
+    driver_opts:
+      type: none
+      o: bind
+      device: ${NASCOMPOSE_SERVICES?}/volumes/smokeping/data/
+  smokeping_config:
+    driver_opts:
+      type: none
+      o: bind
+      device: ${NASCOMPOSE_SERVICES?}/volumes/smokeping/config/

services/portal/docker-compose.yml

@@ -0,0 +1,27 @@
+name: Portal
+
+services:
+  heimdall:
+    image: linuxserver/heimdall
+    environment:
+      PUID: ${NASCOMPOSE_UID?}
+      PGID: ${NASCOMPOSE_GID?}
+    networks:
+      - reverse-proxy
+    volumes:
+      - heimdall_config:/config/
+    restart: unless-stopped
+    labels:
+      traefik.enable: true
+      traefik.http.routers.heimdall.middlewares: authelia@file
+
+networks:
+  reverse-proxy:
+    external: true
+
+volumes:
+ heimdall_config:
+    driver_opts:
+      type: none
+      o: bind
+      device: ${NASCOMPOSE_SERVICES?}/portal/volumes/heimdall_config/

services/reverse-proxy/configs/dynamic/authelia.yml

@@ -0,0 +1,20 @@
+http:
+  middlewares:
+    authelia:
+      forwardAuth:
+        address: 'http://authelia:9091/api/verify?rd=https%3A%2F%2Fauthelia.{{ env `NASCOMPOSE_TRAEFIK_DOMAINS` | splitList `,` | first }}%2F'
+        trustForwardHeader: true
+        authResponseHeaders:
+          - Remote-User
+          - Remote-Groups
+          - Remote-Name
+          - Remote-Email
+    authelia-basic:
+      forwardAuth:
+        address: http://authelia:9091/api/verify?auth=basic
+        trustForwardHeader: true
+        authResponseHeaders:
+          - Remote-User
+          - Remote-Groups
+          - Remote-Name
+          - Remote-Email

services/reverse-proxy/configs/dynamic/hsts.yml

@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    hsts:
+      headers:
+        frameDeny: true
+        browserXssFilter: true
+        stsSeconds: 31536000 # 1 year
+        stsPreload: true
+        stsIncludeSubdomains: true

services/reverse-proxy/configs/dynamic/portainer.yml

@@ -0,0 +1,10 @@
+http:
+  routers:
+    portainer:
+      rule: '{{ $s := "portainer" }}{{ range $i, $d := splitList "," (env `NASCOMPOSE_TRAEFIK_DOMAINS`) }}{{ if $i }} || {{end}}Host(`{{ $s }}.{{ $d }}`){{ end }}'
+      service: portainer@file
+  services:
+    portainer:
+      loadBalancer:
+        servers:
+          - url: https://{{ env `NASCOMPOSE_MACVLAN_PORTAINER_IP` }}:9443/

services/reverse-proxy/configs/dynamic/synology.yml

@@ -0,0 +1,10 @@
+http:
+  routers:
+    synology:
+      rule: '{{ $s := "synology" }}{{ range $i, $d := splitList "," (env `NASCOMPOSE_TRAEFIK_DOMAINS`) }}{{ if $i }} || {{end}}Host(`{{ $s }}.{{ $d }}`){{ end }}'
+      service: synology@file
+  services:
+    synology:
+      loadBalancer:
+        servers:
+          - url: https://{{ env `NASCOMPOSE_MACVLAN_SYNOLOGY_IP` }}:5001/

services/reverse-proxy/configs/dynamic/tls.yml

@@ -0,0 +1,6 @@
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /run/secrets/traefik_tls_cert
+        keyFile: /run/secrets/traefik_tls_key

services/reverse-proxy/configs/dynamic/traefik.yml

@@ -0,0 +1,10 @@
+http:
+  routers:
+    traefik-internal:
+      rule: Host(`traefik`)
+      service: api@internal
+    traefik:
+      rule: '{{ $s := "traefik" }}{{ range $i, $d := splitList "," (env `NASCOMPOSE_TRAEFIK_DOMAINS`) }}{{ if $i }} || {{end}}Host(`{{ $s }}.{{ $d }}`){{ end }}'
+      service: api@internal
+      middlewares:
+        - authelia@file

services/reverse-proxy/configs/dynamic/transmission-api.yml

@@ -0,0 +1,7 @@
+http:
+  routers:
+    transmission-api:
+      rule: '{{ $s := "transmission-api" }}{{ range $i, $d := splitList "," (env `NASCOMPOSE_TRAEFIK_DOMAINS`) }}{{ if $i }} || {{end}}Host(`{{ $s }}.{{ $d }}`){{ end }}'
+      service: transmission@docker
+      middlewares:
+        - authelia-basic@file

services/reverse-proxy/configs/traefik.yml

@@ -0,0 +1,32 @@
+providers:
+  docker:
+    endpoint: tcp://docker:2375
+    exposedByDefault: false
+    network: traefik
+    defaultRule: '{{ $s := index .Labels "com.docker.compose.service" }}{{ range $i, $d := splitList "," (env `NASCOMPOSE_TRAEFIK_DOMAINS`) }}{{ if $i }} || {{end}}Host(`{{ $s }}.{{ $d }}`){{ end }}'
+  file:
+    directory: /etc/traefik/dynamic/
+
+serverstransport:
+  insecureskipverify: true
+
+api: {}
+accessLog: {}
+
+entryPoints:
+  web:
+    address: :80
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: :443
+    http:
+      tls: {}
+      middlewares:
+        - hsts@file
+
+global:
+  sendAnonymousUsage: false

services/reverse-proxy/docker-compose.local.yml

@@ -0,0 +1,5 @@
+services:
+  traefik:
+    ports:
+      - 80:80
+      - 443:443

services/reverse-proxy/docker-compose.macvlan.yml

@@ -0,0 +1,23 @@
+services:
+  traefik:
+    environment:
+      NASCOMPOSE_MACVLAN_SYNOLOGY_IP: ${NASCOMPOSE_MACVLAN_HOST_IP?}
+      NASCOMPOSE_MACVLAN_PORTAINER_IP: ${NASCOMPOSE_MACVLAN_PORTAINER_IP?}
+    networks:
+      macvlan:
+        ipv4_address: ${NASCOMPOSE_MACVLAN_TRAEFIK_IP?}
+    configs:
+      - source: traefik_synology
+        target: /etc/traefik/dynamic/synology.yml
+      - source: traefik_portainer
+        target: /etc/traefik/dynamic/portainer.yml
+
+networks:
+  macvlan:
+    external: true
+
+configs:
+  traefik_synology:
+    file: ${NASCOMPOSE_SERVICES?}/proxy/configs/dynamic/synology.yml
+  traefik_portainer:
+    file: ${NASCOMPOSE_SERVICES?}/proxy/configs/dynamic/portainer.yml

services/reverse-proxy/docker-compose.yml

@@ -0,0 +1,59 @@
+name: Reverse proxy
+
+services:
+  traefik:
+    image: traefik
+    environment:
+      NASCOMPOSE_TRAEFIK_DOMAINS: ${NASCOMPOSE_TRAEFIK_DOMAINS?}
+    networks:
+      - reverse-proxy
+      - docker
+    configs:
+      - source: traefik_static
+        target: /etc/traefik/traefik.yml
+
+      - source: traefik_dynamic
+        target: /etc/traefik/dynamic/traefik.yml
+      - source: traefik_tls
+        target: /etc/traefik/dynamic/tls.yml
+      - source: traefik_hsts
+        target: /etc/traefik/dynamic/hsts.yml
+
+      - source: traefik_authelia
+        target: /etc/traefik/dynamic/authelia.yml
+      - source: traefik_transmission-api
+        target: /etc/traefik/dynamic/transmission-api.yml
+    secrets:
+      - traefik_tls_cert
+      - traefik_tls_key
+    restart: unless-stopped
+    labels:
+      traefik.enable: true
+      traefik.http.routers.traefik.service: api@internal
+
+networks:
+  reverse-proxy:
+    name: traefik
+
+  docker:
+    external: true
+
+configs:
+  traefik_static:
+    file: ${NASCOMPOSE_SERVICES?}/reverse-proxy/configs/traefik.yml
+  traefik_dynamic:
+    file: ${NASCOMPOSE_SERVICES?}/reverse-proxy/configs/dynamic/traefik.yml
+  traefik_tls:
+    file: ${NASCOMPOSE_SERVICES?}/reverse-proxy/configs/dynamic/tls.yml
+  traefik_hsts:
+    file: ${NASCOMPOSE_SERVICES?}/reverse-proxy/configs/dynamic/hsts.yml
+  traefik_authelia:
+    file: ${NASCOMPOSE_SERVICES?}/reverse-proxy/configs/dynamic/authelia.yml
+  traefik_transmission-api:
+    file: ${NASCOMPOSE_SERVICES?}/reverse-proxy/configs/dynamic/transmission-api.yml
+
+secrets:
+  traefik_tls_cert:
+    file: ${NASCOMPOSE_SERVICES?}/reverse-proxy/secrets/traefik.cert
+  traefik_tls_key:
+    file: ${NASCOMPOSE_SERVICES?}/reverse-proxy/secrets/traefik.key

services/scrobbler/docker-compose.yml

@@ -0,0 +1,42 @@
+name: Scrobbler
+
+services:
+  plaxt:
+    image: xanderstrike/goplaxt
+    profiles: [plaxt]
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    environment:
+      TRAKT_ID_FILE: /run/secrets/trakt_id
+      TRAKT_SECRET_FILE: /run/secrets/trakt_secret
+    networks:
+      - reverse-proxy
+      - scrobbler
+    volumes:
+      - plaxt_keystore:/app/keystore/
+    secrets:
+      - trakt_id
+      - trakt_secret
+    restart: unless-stopped
+    labels:
+      traefik.enable: true
+      traefik.http.routers.plaxt.middlewares: authelia@file
+
+networks:
+  scrobbler:
+    name: scrobbler
+
+  reverse-proxy:
+    external: true
+
+volumes:
+  plaxt_keystore:
+    driver_opts:
+      type: none
+      o: bind
+      device: ${NASCOMPOSE_SERVICES?}/scrobbler/volumes/plaxt_keystore/
+
+secrets:
+  trakt_id:
+    file: ${NASCOMPOSE_SERVICES?}/scrobbler/secrets/trakt_id
+  trakt_secret:
+    file: ${NASCOMPOSE_SERVICES?}/scrobbler/secrets/trakt_secret

services/torrents/docker-compose.yml

@@ -0,0 +1,56 @@
+name: Torrents
+
+services:
+  transmission:
+    image: haugene/transmission-openvpn
+    environment:
+      PUID: ${NASCOMPOSE_UID?}
+      PGID: ${NASCOMPOSE_GID?}
+      OPENVPN_PROVIDER: PIA
+      OPENVPN_CONFIG: ${NASCOMPOSE_TRANSMISSION_VPNREGION?}
+      OPENVPN_OPTS: --inactive 3600 --ping 10 --ping-exit 60
+      LOCAL_NETWORK: 192.168.0.0/16
+    cap_add:
+      - NET_ADMIN
+    networks:
+      - reverse-proxy
+      - torrents
+    dns:
+      # Work around DNS blocks in various regions
+      - 1.1.1.1
+      - 1.0.0.1
+    volumes:
+      - transmission_config:/config/
+      - torrents:/data/
+    secrets:
+      - source: transmission_vpn_creds
+        target: openvpn_creds
+    restart: unless-stopped
+    labels:
+      traefik.enable: true
+      traefik.http.services.transmission.loadbalancer.server.port: 9091
+      traefik.http.routers.transmission.middlewares: authelia@file
+
+networks:
+  torrents:
+    name: torrents
+
+  reverse-proxy:
+    external: true
+
+volumes:
+  torrents:
+    driver_opts:
+      type: none
+      o: bind
+      device: ${NASCOMPOSE_DATA?}/torrents/
+
+  transmission_config:
+    driver_opts:
+      type: none
+      o: bind
+      device: ${NASCOMPOSE_SERVICES?}/volumes/transmission/config/
+
+secrets:
+    transmission_vpn_creds:
+        file: ${NASCOMPOSE_SERVICES?}/secrets/transmission/vpn_creds

services/usenet/docker-compose.yml

@@ -0,0 +1,44 @@
+name: Usenet
+
+services:
+  # Always create the usenet network even if the usenet profile is disabled
+  dummy:
+    image: tianon/true
+    networks:
+      - usenet
+
+  sabnzbd:
+    image: linuxserver/sabnzbd
+    profiles: [usenet]
+    environment:
+      PUID: ${NASCOMPOSE_UID?}
+      PGID: ${NASCOMPOSE_GID?}
+    networks:
+      - reverse-proxy
+      - usenet
+    volumes:
+      - sabnzbd_config:/config
+      - usenet:/downloads
+    restart: unless-stopped
+    labels:
+      traefik.enable: true
+
+networks:
+  usenet:
+    name: usenet
+
+  reverse-proxy:
+    external: true
+
+volumes:
+  usenet:
+    driver_opts:
+      type: none
+      o: bind
+      device: ${NASCOMPOSE_DATA?}/usenet/
+
+  sabnzbd_config:
+    driver_opts:
+      type: none
+      o: bind
+      device: ${NASCOMPOSE_SERVICES?}/usenet/volumes/sabnzbd_config/

services/youtube-dl/docker-compose.yml

@@ -0,0 +1,37 @@
+name: Youtube-DL
+
+services:
+  youtube-dl:
+    image: alexta69/metube
+    environment:
+      UID: ${NASCOMPOSE_UID?}
+      GID: ${NASCOMPOSE_GID?}
+      YTDL_OPTIONS: >
+        {
+          "writesubtitles": true,
+          "subtitleslangs": ["all", "-live_chat"],
+          "subtitlesformat": "ass/srt/best",
+          "postprocessors": [
+            { "key": "FFmpegEmbedSubtitle" },
+            { "key": "FFmpegMetadata" }
+          ]
+        }
+    networks:
+      - reverse-proxy
+    volumes:
+      - youtub-dl:/downloads
+    restart: unless-stopped
+    labels:
+      traefik.enable: true
+      traefik.http.routers.youtube-dl.middlewares: authelia@file
+
+networks:
+  reverse-proxy:
+    external: true
+
+volumes:
+  youtube-dl:
+    driver_opts:
+      type: none
+      o: bind
+      device: ${NASCOMPOSE_DATA?}/youtub-dl/