Migration to newer dockge/compose stack

.gitignore

@@ -1 +1,13 @@
 *.nas-compose.env
+# Prevent the content of volumes from being commited, but allow the folders
+/*/volumes/*/**
+# Prevent secrets from being commited
+/*/secrets/**
+# Prevent local environment configuration from being commited
+/*/.env
+# Allow .gitkeeps for empty folders (volumes/secrets)
+!.gitkeep
+!.gitignore
+
+@eaDir
+.DS_Store

authentication/compose.yaml

@@ -0,0 +1,67 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
+
+services:
+  authelia:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: authelia
+    image: authelia/authelia
+    command:
+      - authelia
+      - --config=/etc/authelia/configuration.yml
+      - --config=/etc/authelia/access.yml
+      - --config=/etc/authelia/authentication.yml
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    environment:
+      AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: /run/secrets/jwt_secret
+      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/storage_key
+      AUTHELIA_NOTIFIER_SMTP_ADDRESS: smtp://smtp-server
+      AUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS: true
+      AUTHELIA_NOTIFIER_SMTP_SENDER: Authelia <authelia@${NASCOMPOSE_DOMAIN?}>
+      X_AUTHELIA_CONFIG_FILTERS: template
+      TEMPLATE_NASCOMPOSE_DOMAIN: ${NASCOMPOSE_DOMAIN?}
+    networks:
+      - smtp-server
+      - default
+    volumes:
+      - ./volumes/authelia_config/:/config/
+      - ./configs/authelia_configuration.yml:/etc/authelia/configuration.yml:ro
+      - ./configs/authelia_access.yml:/etc/authelia/access.yml:ro
+      - ./configs/authelia_authentication.yml:/etc/authelia/authentication.yml:ro
+      - ./secrets/authelia_jwt_secret:/run/secrets/jwt_secret:ro
+      - ./secrets/authelia_storage_key:/run/secrets/storage_key:ro
+      - ./secrets/authelia_oidcsecret:/run/secrets/oidcsecret:ro
+      - ./secrets/authelia_oidc.key:/run/secrets/oidc.key:ro
+  authelia-redis:
+    extends:
+      file: ../compose.base.yaml
+      service: base-service
+    container_name: authelia-redis
+    image: redis
+    #user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+
+  lldap:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: lldap
+    image: lldap/lldap:latest-alpine-rootless
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    environment:
+      LLDAP_JWT_SECRET_FILE: /run/secrets/jwt_secret
+      LLDAP_KEY_SEED_FILE: /run/secrets/key_seed
+    networks:
+      - default
+    volumes:
+      - ./volumes/lldap_data:/data
+      - ./secrets/lldap_jwt_secret:/run/secrets/jwt_secret:ro
+      - ./secrets/lldap_key_seed:/run/secrets/key_seed:ro
+    labels:
+      traefik.http.routers.lldap.middlewares: authelia@file
+      traefik.http.services.lldap.loadbalancer.server.port: 17170
+networks:
+  reverse-proxy:
+    external: true
+  smtp-server:
+    external: true

authentication/docker-compose.yml

@@ -1,59 +0,0 @@
-name: authentication
-
-services:
-  authelia:
-    hostname: authelia
-    image: authelia/authelia
-    command: --config /etc/authelia/configuration.yml,/etc/authelia/access.yml,/etc/authelia/authentication.yml
-    environment:
-      PUID: ${NASCOMPOSE_UID?}
-      PGID: ${NASCOMPOSE_GID?}
-      AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: /run/secrets/jwt_secret
-      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/storage_key
-      AUTHELIA_NOTIFIER_SMTP_ADDRESS: ${NASCOMPOSE_AUTHELIA_SMTP_ADDRESS?}
-      AUTHELIA_NOTIFIER_SMTP_USERNAME: ${NASCOMPOSE_AUTHELIA_SMTP_USERNAME?}
-      AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/smtp_password
-      AUTHELIA_NOTIFIER_SMTP_SENDER: "authelia@${NASCOMPOSE_DOMAIN?}"
-      X_AUTHELIA_CONFIG_FILTERS: template
-      TEMPLATE_NASCOMPOSE_DOMAIN: ${NASCOMPOSE_DOMAIN?}
-    networks:
-      - reverse-proxy
-      - default
-    volumes:
-      - ${NASCOMPOSE_SERVICES?}/authentication/volumes/authelia_config/:/config/
-      # Configuration
-      - ${NASCOMPOSE_SERVICES?}/authentication/configs/authelia_configuration.yml:/etc/authelia/configuration.yml:ro
-      - ${NASCOMPOSE_SERVICES?}/authentication/configs/authelia_access.yml:/etc/authelia/access.yml:ro
-      - ${NASCOMPOSE_SERVICES?}/authentication/configs/authelia_authentication.yml:/etc/authelia/authentication.yml:ro
-      # Secrets
-      - ${NASCOMPOSE_SERVICES?}/authentication/secrets/authelia_jwt_secret:/run/secrets/jwt_secret:ro
-      - ${NASCOMPOSE_SERVICES?}/authentication/secrets/authelia_storage_key:/run/secrets/storage_key:ro
-      - ${NASCOMPOSE_SERVICES?}/authentication/secrets/authelia_smtp_password:/run/secrets/smtp_password:ro
-      - ${NASCOMPOSE_SERVICES?}/authentication/secrets/authelia_oidcsecret:/run/secrets/oidcsecret:ro
-      - ${NASCOMPOSE_SERVICES?}/authentication/secrets/authelia_oidc.key:/run/secrets/oidc.key:ro
-    restart: unless-stopped
-    labels:
-      traefik.enable: true
-
-  lldap:
-    image: lldap/lldap
-    environment:
-      UID: ${NASCOMPOSE_UID?}
-      GID: ${NASCOMPOSE_GID?}
-      LLDAP_JWT_SECRET_FILE: /run/secrets/jwt_secret
-      LLDAP_KEY_SEED_FILE: /run/secrets/key_seed
-    networks:
-      - reverse-proxy
-      - default
-    volumes:
-      - ${NASCOMPOSE_SERVICES?}/authentication/volumes/lldap_data:/data
-      # Secrets
-      - ${NASCOMPOSE_SERVICES?}/authentication/secrets/lldap_jwt_secret:/run/secrets/jwt_secret:ro
-      - ${NASCOMPOSE_SERVICES?}/authentication/secrets/lldap_key_seed:/run/secrets/key_seed:ro
-    labels:
-      traefik.enable: true
-      traefik.http.services.lldap.loadbalancer.server.port: 17170
-
-networks:
-  reverse-proxy:
-    external: true

book-collector/compose.yaml

@@ -1,42 +1,41 @@
-name: book-collector
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
 
+name: book-collector
 services:
   readarr-audiobook:
-    hostname: readarr-audiobook
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: readarr-audiobook
     image: lscr.io/linuxserver/readarr:develop # TODO: Move to a stable version
     environment:
       PUID: ${NASCOMPOSE_UID?}
       PGID: ${NASCOMPOSE_GID?}
     networks:
-      - reverse-proxy
       - torrents
       - usenet
     volumes:
-      - ${NASCOMPOSE_SERVICES?}/book-collector/volumes/readarr-audiobook_config/:/config/
+      - ./volumes/readarr-audiobook_config/:/config/
       - ${NASCOMPOSE_DATA?}/:/data/
-    restart: unless-stopped
     labels:
-      traefik.enable: true
       traefik.http.routers.readarr-audiobook.middlewares: authelia@file
-
   readarr-ebook:
-    hostname: readarr-ebook
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: readarr-ebook
     image: lscr.io/linuxserver/readarr:develop # TODO: Move to a stable version
     environment:
       PUID: ${NASCOMPOSE_UID?}
       PGID: ${NASCOMPOSE_GID?}
     networks:
-      - reverse-proxy
       - torrents
       - usenet
     volumes:
-      - ${NASCOMPOSE_SERVICES?}/book-collector/volumes/readarr-ebook_config/:/config/
+      - ./volumes/readarr-ebook_config/:/config/
       - ${NASCOMPOSE_DATA?}/:/data/
-    restart: unless-stopped
     labels:
-      traefik.enable: true
       traefik.http.routers.readarr-ebook.middlewares: authelia@file
-
 networks:
   reverse-proxy:
     external: true

bootstrap/compose.macvlan.yaml

@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
+
 services:
   portainer:
     networks:

bootstrap/compose.yaml

@@ -0,0 +1,21 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
+
+services:
+  portainer:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: portainer
+    image: portainer/portainer-ee
+    command:
+      - --admin-password-file=/run/secrets/portainer_password
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./volumes/portainer_data/:/data/
+      - ./secrets/portainer_password:/run/secrets/portainer_password:ro
+    labels:
+      traefik.http.services.portainer.loadbalancer.server.port: 9443
+      traefik.http.services.portainer.loadbalancer.server.scheme: https
+networks:
+  reverse-proxy:
+    external: true

bootstrap/docker-compose.yml

@@ -1,15 +0,0 @@
-name: bootstrap
-
-services:
-  portainer:
-    hostname: portainer
-    image: portainer/portainer-ce
-    command: >
-      --admin-password-file /run/secrets/portainer_password
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - /var/packages/ContainerManager/var/docker/volumes/:/var/lib/docker/volumes/
-      - ${NASCOMPOSE_SERVICES?}/bootstrap/volumes/portainer_data/:/data/
-      # Secrets
-      - ${NASCOMPOSE_SERVICES?}/bootstrap/secrets/portainer_password:/run/secrets/portainer_password:ro
-    restart: unless-stopped

comic-collector/compose.yaml

@@ -1,27 +1,24 @@
-name: comic-collector
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
 
 services:
   mylar:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
     hostname: mylar
     image: lscr.io/linuxserver/mylar3
     environment:
       PUID: ${NASCOMPOSE_UID?}
       PGID: ${NASCOMPOSE_GID?}
     networks:
-      - reverse-proxy
       - torrents
       - usenet
     volumes:
-      - ${NASCOMPOSE_SERVICES?}/comic-collector/volumes/mylar_config/:/config/
+      - ./volumes/mylar_config/:/config/
       - ${NASCOMPOSE_DATA?}/:/data/
-    restart: unless-stopped
     labels:
-      traefik.enable: true
       traefik.http.routers.mylar.middlewares: authelia@file
-
 networks:
-  reverse-proxy:
-    external: true
   torrents:
     external: true
   usenet:

compose.base.yaml

@@ -0,0 +1,22 @@
+services:
+  base-service:
+    restart: unless-stopped
+    logging:
+      driver: loki
+      options:
+        loki-url: http://${NASCOMPOSE_MACVLAN_LOKI_IP?}:3100/loki/api/v1/push
+        loki-retries: 2
+        loki-max-backoff: 800ms
+        loki-timeout: 1s
+        keep-file: 'true'
+
+  exposed-service:
+    extends: base-service
+    networks:
+      - reverse-proxy
+    labels:
+      traefik.enable: true
+
+networks:
+  reverse-proxy:
+    external: true

docker-monitoring/compose.yaml

@@ -0,0 +1,61 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
+
+services:
+  watchtower:
+    extends:
+      file: ../compose.base.yaml
+      service:  ase-service
+    container_name: watchtower
+    image: containrrr/watchtower
+    environment:
+      WATCHTOWER_INCLUDE_RESTARTING: true
+      WATCHTOWER_INCLUDE_STOPPED: true
+      WATCHTOWER_CLEANUP: true
+      WATCHTOWER_NOTIFICATION_REPORT: true
+      WATCHTOWER_NOTIFICATION_URL: /run/secrets/notification_url
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ${NASCOMPOSE_SERVICES?}/docker-monitoring/secrets/notification_url:/run/secrets/notification_url:ro
+
+  portainer:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: portainer
+    image: portainer/portainer-ee
+    command:
+      - --admin-password-file=/run/secrets/portainer_password
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./volumes/portainer_data/:/data/
+      - ./secrets/portainer_password:/run/secrets/portainer_password:ro
+    labels:
+      traefik.http.services.portainer.loadbalancer.server.port: 9443
+      traefik.http.services.portainer.loadbalancer.server.scheme: https
+
+  dockge:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: dockge
+    build:
+      context: .
+      dockerfile_inline: |
+        FROM louislam/dockge
+        RUN  apt update \
+             && apt --yes --no-install-recommends install \
+             docker-ce-cli docker-compose-plugin \
+             && rm -rf /var/lib/apt/lists/*
+    environment:
+      DOCKGE_STACKS_DIR: ${NASCOMPOSE_SERVICES?}/
+      COMPOSE_ENV_FILES: ${NASCOMPOSE_SERVICES?}/nas-compose.env,.env
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ${NASCOMPOSE_SERVICES?}/:${NASCOMPOSE_SERVICES?}/
+      - ${NASCOMPOSE_SERVICES?}/docker-monitoring/volumes/dockge_data/:/app/data/
+    labels:
+      traefik.http.routers.dockge.middlewares: authelia@file
+
+networks:
+  reverse-proxy:
+    external: true

docker-monitoring/docker-compose.yml

@@ -1,34 +0,0 @@
-name: docker-monitoring
-
-services:
-  watchtower:
-    hostname: watchtower
-    image: containrrr/watchtower
-    environment:
-      WATCHTOWER_INCLUDE_RESTARTING: true
-      WATCHTOWER_INCLUDE_STOPPED: true
-      WATCHTOWER_CLEANUP: true
-      WATCHTOWER_NOTIFICATION_REPORT: true
-      WATCHTOWER_NOTIFICATION_URL: /run/secrets/notification_url
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      # Secrets
-      - ${NASCOMPOSE_SERVICES?}/docker-monitoring/secrets/notification_url:/run/secrets/notification_url:ro
-    restart: unless-stopped
-  dockge:
-    hostname: dockge
-    image: louislam/dockge
-    networks:
-      - reverse-proxy
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - ${NASCOMPOSE_SERVICES?}/docker-monitoring/volumes/dockge_stacks/:/opt/stacks/
-      - ${NASCOMPOSE_SERVICES?}/docker-monitoring/volumes/dockge_data/:/app/data/
-    restart: unless-stopped
-    labels:
-      traefik.enable: true
-      traefik.http.routers.dockge.middlewares: authelia@file
-
-networks:
-  reverse-proxy:
-    external: true

document-collector/compose.yaml

@@ -1,11 +1,14 @@
-name: document-collector
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
 
 services:
   paperless:
-    hostname: paperless
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: paperless
     image: ghcr.io/paperless-ngx/paperless-ngx
     environment:
-      PAPERLESS_REDIS: redis://broker:6379
+      PAPERLESS_REDIS: redis://paperless-broker:6379
       USERMAP_UID: ${NASCOMPOSE_UID?}
       USERMAP_GID: ${NASCOMPOSE_GID?}
       PAPERLESS_URL: https://paperless.${NASCOMPOSE_DOMAIN?}
@@ -13,27 +16,24 @@ services:
       PAPERLESS_TRASH_DIR: /usr/src/paperless/media/recycle-bin/paperless/
       PAPERLESS_OCR_USER_ARGS: '{"invalidate_digital_signatures": true}'
     networks:
-      - reverse-proxy
       - default
     depends_on:
-      - broker
+      - paperless-broker
     volumes:
-      - ${NASCOMPOSE_SERVICES?}/document-collector/volumes/paperless_data/:/usr/src/paperless/data/
+      - ./volumes/paperless_data/:/usr/src/paperless/data/
       - ${NASCOMPOSE_DATA?}/media/:/usr/src/paperless/media/
       - ${NASCOMPOSE_DATA?}/consume:/usr/src/paperless/consume
       - ${NASCOMPOSE_DATA?}/export:/usr/src/paperless/export
-    restart: unless-stopped
     labels:
-      traefik.enable: true
       traefik.http.routers.paperless.middlewares: authelia@file
-
-  broker:
-    hostname: broker
-    image: redis:7
+  paperless-broker:
+    extends:
+      file: ../compose.base.yaml
+      service: base-service
+    container_name: paperless-broker
+    image: redis
     volumes:
-      - ${NASCOMPOSE_SERVICES?}/document-collector/volumes/broker_data/:/data/
-    restart: unless-stopped
-
+      - ./volumes/broker_data/:/data/
 networks:
   reverse-proxy:
     external: true

dynamic-dns/compose.yaml

@@ -1,13 +1,14 @@
-name: dynamic-dns
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
 
 services:
   duckdns:
-    hostname: duckdns
+    container_name: duckdns
     image: lscr.io/linuxserver/duckdns
     environment:
       - SUBDOMAINS=${NASCOMPOSE_DUCKDNS_DOMAIN?}
       - FILE__TOKEN=/run/secrets/duckdns_token
     volumes:
       # Secrets
-      - ${NASCOMPOSE_SERVICES?}/dynamic-dns/secrets/duckdns_token:/run/secrets/duckdns_token:ro
+      - ./secrets/duckdns_token:/run/secrets/duckdns_token:ro
     restart: unless-stopped
+networks: {}

ebook-reader/compose.yaml

@@ -1,46 +1,43 @@
-name: ebook-reader
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
 
 services:
   calibre:
-    hostname: calibre
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: calibre
     image: lscr.io/linuxserver/calibre
     environment:
       PUID: ${NASCOMPOSE_UID?}
       PGID: ${NASCOMPOSE_GID?}
     networks:
-      - reverse-proxy
       - calibre
     volumes:
-      - ${NASCOMPOSE_SERVICES?}/ebook-reader/volumes/calibre_config/:/config/
+      - ./volumes/calibre_config/:/config/
       - ${NASCOMPOSE_DATA?}/media/ebooks/:/data/media/ebooks/
-      - ${NASCOMPOSE_SERVICES?}/ebook-reader/volumes/calibre_database/metadata.db:/data/media/ebooks/metadata.db
-    restart: unless-stopped
+      - ./volumes/calibre_database/metadata.db:/data/media/ebooks/metadata.db
     labels:
-      traefik.enable: true
       traefik.http.services.calibre.loadbalancer.server.port: 8080
       traefik.http.routers.calibre.middlewares: authelia@file
-
   calibre-web:
-    hostname: calibre-web
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: calibre-web
     image: lscr.io/linuxserver/calibre-web
     environment:
       PUID: ${NASCOMPOSE_UID?}
       PGID: ${NASCOMPOSE_GID?}
     networks:
-      - reverse-proxy
       - calibre
     volumes:
-      - ${NASCOMPOSE_SERVICES?}/ebook-reader/volumes/calibre-web_config/:/config/
+      - ./volumes/calibre-web_config/:/config/
       - ${NASCOMPOSE_DATA?}/media/ebooks/:/data/media/ebooks/:ro
-      - ${NASCOMPOSE_SERVICES?}/ebook-reader/volumes/calibre_database/metadata.db:/data/media/ebooks/metadata.db:ro
-    restart: unless-stopped
+      - ./volumes/calibre_database/metadata.db:/data/media/ebooks/metadata.db:ro
     labels:
-      traefik.enable: true
       traefik.http.routers.calibre-web.middlewares: authelia@file
-
 networks:
   calibre:
     name: calibre
-
   reverse-proxy:
     external: true

email/compose.yaml

@@ -0,0 +1,21 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
+
+services:
+  smtp-server:
+    extends:
+      file: ../compose.base.yaml
+      service: base-service
+    container_name: smtp-server
+    image: juanluisbaptiste/postfix
+    environment:
+      - SMTP_SERVER=${SMTP_ADDRESS?}
+      - SMTP_USERNAME=${SMTP_USERNAME?}
+      - SMTP_PASSWORD_FILE=/run/secrets/smtp_password
+      - SERVER_HOSTNAME=${NASCOMPOSE_DOMAIN?}
+    networks:
+      - smtp-server
+    volumes:
+      - ./secrets/smtp_password:/run/secrets/smtp_password:ro
+networks:
+  smtp-server:
+    name: smtp-server

git/compose.yaml

@@ -0,0 +1,22 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
+
+services:
+  gitea:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: gitea
+    image: gitea/gitea:latest-rootless
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    volumes:
+      - ${NASCOMPOSE_DATA?}/git:/var/lib/gitea/git/lfs
+      - ./volumes/gitea_data:/var/lib/gitea
+      - ./volumes/gitea_config:/etc/gitea
+    labels:
+      traefik.http.services.gitea.loadbalancer.server.port: 3000
+      traefik.tcp.routers.gitea.entryPoints: ssh
+      traefik.tcp.routers.gitea.rule: HostSNI(`*`)
+      traefik.tcp.services.gitea.loadbalancer.server.port: 2222
+networks:
+  reverse-proxy:
+    external: true

indexer/compose.yaml

@@ -1,14 +1,16 @@
-name: indexer
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
 
 services:
   prowlarr:
-    hostname: prowlarr
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: prowlarr
     image: lscr.io/linuxserver/prowlarr
     environment:
       PUID: ${NASCOMPOSE_UID?}
       PGID: ${NASCOMPOSE_GID?}
     networks:
-      - reverse-proxy
       - default
       - indexer
       - torrents
@@ -18,27 +20,27 @@ services:
       - 1.1.1.1
       - 1.0.0.1
     volumes:
-      - ${NASCOMPOSE_SERVICES?}/indexer/volumes/prowlarr_config/:/config/
-    restart: unless-stopped
+      - ./volumes/prowlarr_config/:/config/
     labels:
-      traefik.enable: true
       traefik.http.routers.prowlarr.middlewares: authelia@file
-
   flaresolverr:
-    hostname: flaresolverr
-    image: ghcr.io/flaresolverr/flaresolverr:pr-1282 # Temporary until https://github.com/FlareSolverr/FlareSolverr/pull/1272 gets fixed
-    restart: unless-stopped
+    extends:
+      file: ../compose.base.yaml
+      service: base-service
+    container_name: flaresolverr
+    image: alexfozor/flaresolverr:pr-1300-experimental # ghcr.io/flaresolverr/flaresolverr:pr-1282 # Temporary until https://github.com/FlareSolverr/FlareSolverr/pull/1272 gets fixed
     dns:
       # Work around DNS blocks in various regions
       - 1.1.1.1
       - 1.0.0.1
-
   autobrr:
-    hostname: autobrr
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: autobrr
     image: ghcr.io/autobrr/autobrr
     user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
     networks:
-      - reverse-proxy
       - default
       - torrents
     dns:
@@ -46,27 +48,24 @@ services:
       - 1.1.1.1
       - 1.0.0.1
     volumes:
-      - ${NASCOMPOSE_SERVICES?}/indexer/volumes/autobrr_config/:/config/
-    restart: unless-stopped
+      - ./volumes/autobrr_config/:/config/
     labels:
-      traefik.enable: true
       traefik.http.routers.autobrr.middlewares: authelia@file
-
   omegabrr:
-    hostname: omegabrr
+    extends:
+      file: ../compose.base.yaml
+      service: base-service
+    container_name: omegabrr
     image: ghcr.io/autobrr/omegabrr
     user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
     networks:
-      - reverse-proxy
+      - reverse-proxy # Hack to access sonarr/radarr
       - default
     volumes:
       - ${NASCOMPOSE_SERVICES?}/indexer/volumes/omegabrr_config/:/config/
-    restart: unless-stopped
-
 networks:
   indexer:
     name: indexer
-
   reverse-proxy:
     external: true
   torrents:

irc/compose.yaml

@@ -1,23 +1,22 @@
-name: irc
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
 
 services:
   thelounge:
-    hostname: thelounge
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: thelounge
     image: lscr.io/linuxserver/thelounge
     environment:
       PUID: ${NASCOMPOSE_UID?}
       PGID: ${NASCOMPOSE_GID?}
-    networks:
-      - reverse-proxy
     dns:
       # Work around DNS blocks in various regions
       - 1.1.1.1
       - 1.0.0.1
     volumes:
-      - ${NASCOMPOSE_SERVICES?}/irc/volumes/thelounge_config/:/config/
-    restart: unless-stopped
+      - ./volumes/thelounge_config/:/config/
     labels:
-      traefik.enable: true
       traefik.http.routers.thelounge.middlewares: authelia@file
 
 networks:

media-player/compose.yaml

@@ -0,0 +1,76 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
+
+services:
+  plex:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: plex
+    image: plexinc/pms-docker
+    environment:
+      PLEX_UID: ${NASCOMPOSE_UID?}
+      PLEX_GID: ${NASCOMPOSE_GID?}
+    networks:
+      - media-player
+    volumes:
+      - ./volumes/plex_config/:/config/
+      - ${NASCOMPOSE_DATA?}/media/:/data/:ro
+    labels:
+      traefik.http.services.plex.loadbalancer.server.port: 32400
+      traefik.http.services.plex.loadbalancer.server.scheme: https
+  tautulli:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: tautulli
+    image: ghcr.io/tautulli/tautulli
+    environment:
+      PUID: ${NASCOMPOSE_UID?}
+      PGID: ${NASCOMPOSE_GID?}
+    networks:
+      - media-player
+    volumes:
+      - ./volumes/tautulli_config/:/config/
+    labels:
+      traefik.http.routers.tautulli.middlewares: authelia@file
+  plaxt:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: plaxt
+    image: xanderstrike/goplaxt
+    profiles:
+      - plaxt
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    environment:
+      TRAKT_ID_FILE: /run/secrets/trakt_id
+      TRAKT_SECRET_FILE: /run/secrets/trakt_secret
+    networks:
+      - media-player
+    volumes:
+      - ./volumes/plaxt_keystore/:/app/keystore/
+      - ./secrets/trakt_id:/run/secrets/trakt_id:ro
+      - ./secrets/trakt_secret:/run/secrets/trakt_secret:ro
+  audiobookshelf:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: audiobookshelf
+    image: advplyr/audiobookshelf
+    profiles:
+      - ebooks
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    environment:
+      PORT: 13378
+    volumes:
+      - ./volumes/audiobookshelf_config/:/config/
+      - ./volumes/audiobookshelf_metadata/:/metadata/
+      - ${NASCOMPOSE_DATA?}/media/audiobooks/:/audiobooks/
+    labels:
+      traefik.http.routers.audiobookshelf.middlewares: authelia@file
+      traefik.http.services.audiobookshelf.loadbalancer.server.port: 13378
+networks:
+  media-player:
+    name: media-player
+  reverse-proxy:
+    external: true

media-player/docker-compose.yml

@@ -1,81 +0,0 @@
-name: media-player
-
-services:
-  plex:
-    hostname: plex
-    image: plexinc/pms-docker
-    environment:
-      PLEX_UID: ${NASCOMPOSE_UID?}
-      PLEX_GID: ${NASCOMPOSE_GID?}
-    networks:
-      - reverse-proxy
-      - media-player
-    volumes:
-      - ${NASCOMPOSE_SERVICES?}/media-player/volumes/plex_config/:/config/
-      - ${NASCOMPOSE_DATA?}/media/:/data/:ro
-    restart: unless-stopped
-    labels:
-      traefik.enable: true
-      traefik.http.services.plex.loadbalancer.server.port: 32400
-      traefik.http.services.plex.loadbalancer.server.scheme: https
-
-  tautulli:
-    hostname: tautulli
-    image: lscr.io/linuxserver/tautulli
-    environment:
-      PUID: ${NASCOMPOSE_UID?}
-      PGID: ${NASCOMPOSE_GID?}
-    networks:
-      - reverse-proxy
-      - media-player
-    volumes:
-      - ${NASCOMPOSE_SERVICES?}/media-player/volumes/tautulli_config/:/config/
-    restart: unless-stopped
-    labels:
-      traefik.enable: true
-      traefik.http.routers.tautulli.middlewares: authelia@file
-
-  plaxt:
-    hostname: plaxt
-    image: xanderstrike/goplaxt
-    profiles: [ plaxt ]
-    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
-    environment:
-      TRAKT_ID_FILE: /run/secrets/trakt_id
-      TRAKT_SECRET_FILE: /run/secrets/trakt_secret
-    networks:
-      - reverse-proxy
-      - media-player
-    volumes:
-      - ${NASCOMPOSE_SERVICES?}/media-player/volumes/plaxt_keystore/:/app/keystore/
-      # Secrets
-      - ${NASCOMPOSE_SERVICES?}/media-player/secrets/trakt_id:/run/secrets/trakt_id:ro
-      - ${NASCOMPOSE_SERVICES?}/media-player/secrets/trakt_secret:/run/secrets/trakt_secret:ro
-    restart: unless-stopped
-    labels:
-      traefik.enable: true
-
-  audiobookshelf:
-    hostname: audiobookshelf
-    image: advplyr/audiobookshelf
-    profiles: [ ebooks ]
-    environment:
-      AUDIOBOOKSHELF_UID: ${NASCOMPOSE_UID?}
-      AUDIOBOOKSHELF_GID: ${NASCOMPOSE_GID?}
-    networks:
-      - reverse-proxy
-    volumes:
-      - ${NASCOMPOSE_SERVICES?}/media-player/volumes/audiobookshelf_config/:/config/
-      - ${NASCOMPOSE_SERVICES?}/media-player/volumes/audiobookshelf_metadata/:/metadata/
-      - ${NASCOMPOSE_DATA?}/media/audiobooks/:/audiobooks/
-    restart: unless-stopped
-    labels:
-      traefik.enable: true
-      traefik.http.routers.audiobookshelf.middlewares: authelia@file
-
-networks:
-  media-player:
-    name: media-player
-
-  reverse-proxy:
-    external: true

media-requester/compose.yaml

@@ -1,21 +1,19 @@
-name: media-requester
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
 
 services:
   overseerr:
-    hostname: overseerr
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: overseerr
     image: sctx/overseerr
     user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
     networks:
-      - reverse-proxy
       - media-player
       - tv-collector
       - movie-collector
     volumes:
-      - ${NASCOMPOSE_SERVICES?}/media-requester/volumes/overseerr_config/:/app/config
-    restart: unless-stopped
-    labels:
-      traefik.enable: true
-
+      - ./volumes/overseerr_config/:/app/config
 networks:
   reverse-proxy:
     external: true

monitoring/compose.macvlan.yaml

@@ -0,0 +1,11 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
+
+services:
+  loki:
+    networks:
+      macvlan:
+        ipv4_address: ${NASCOMPOSE_MACVLAN_LOKI_IP?}
+
+networks:
+  macvlan:
+    external: true

monitoring/compose.yaml

@@ -0,0 +1,75 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
+
+services:
+  loki:
+    extends:
+      file: ../compose.base.yaml
+      service: base-service
+    container_name: loki
+    image: grafana/loki
+    #user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    command: -config.file=/etc/loki/local-config.yaml
+    networks:
+      - default
+  promtail:
+    extends:
+      file: ../compose.base.yaml
+      service: base-service
+    container_name: promtail
+    image: grafana/promtail
+    command: -config.file=/etc/promtail/config.yaml
+    #user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    volumes:
+      - /var/log:/var/log
+      - ./config/promtail_config.yaml:/etc/promtail/config.yaml
+      - ./volumes/promtail_logs/:/data/logs/
+  grafana:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: grafana
+    image: grafana/grafana-oss
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    volumes:
+      - ./volumes/grafana_data/:/var/lib/grafana
+      - ./config/grafana.ini:/etc/grafana/grafana.ini:ro
+    networks:
+      - default
+  cadvisor:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: cadvisor
+    image: gcr.io/cadvisor/cadvisor
+    #user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    command:
+      - --enable_metrics=app,cpu,memory,network,oom_event,percpu
+      - --store_container_labels=false
+      - --docker_only=true
+      - --whitelisted_container_labels=com.docker.compose.project,com.docker.compose.service
+    volumes:
+      - /:/rootfs:ro
+      - /var/run:/var/run:ro
+      - /sys:/sys:ro
+      - /var/packages/ContainerManager/var/docker/:/var/lib/docker:ro
+    networks:
+      - default
+    labels:
+      traefik.http.routers.cadvisor.middlewares: authelia@file
+  prometheus:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: prometheus
+    image: prom/prometheus
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    volumes:
+      - ./config/prometheus_config/prometheus.yml:/etc/prometheus/prometheus.yml
+      - ./volumes/prometheus_data/:/prometheus/
+    networks:
+      - default
+    labels:
+      traefik.http.routers.prometheus.middlewares: authelia@file
+networks:
+  reverse-proxy:
+    external: true

monitoring/config/promtail_config.yaml

@@ -0,0 +1,25 @@
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+
+positions:
+  filename: /data/logs/positions.yaml
+
+clients:
+  - url: http://loki:3100/loki/api/v1/push
+
+scrape_configs:
+- job_name: system
+  static_configs:
+  - targets:
+      - localhost
+    labels:
+      job: varlogs
+      __path__: /var/log/*.log
+- job_name: traefik
+  static_configs:
+  - targets:
+      - traefik
+    labels:
+      job: traefik
+      __path__: /data/logs/traefik/*.log

monitoring/volumes/promtail_logs/.gitignore

@@ -0,0 +1,6 @@
+# Promtail logs volume is special as it contains folders which are symlinked to as volumes for other containers
+# Stop the parent .gitignore from impacting subfolders
+!*/
+# Ignore the content of all the subfolders
+*/*
+!.gitkeep

movie-collector/compose.yaml

@@ -1,29 +1,27 @@
-name: movie-collector
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
 
 services:
   radarr:
-    hostname: radarr
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: radarr
     image: lscr.io/linuxserver/radarr
     environment:
       PUID: ${NASCOMPOSE_UID?}
       PGID: ${NASCOMPOSE_GID?}
     networks:
-      - reverse-proxy
       - movie-collector
       - torrents
       - usenet
     volumes:
-      - ${NASCOMPOSE_SERVICES?}/movie-collector/volumes/radarr_config/:/config/
+      - ./volumes/radarr_config/:/config/
       - ${NASCOMPOSE_DATA?}/:/data/
-    restart: unless-stopped
     labels:
-      traefik.enable: true
       traefik.http.routers.radarr.middlewares: authelia@file
-
 networks:
   movie-collector:
     name: movie-collector
-
   reverse-proxy:
     external: true
   torrents:

notifiarr/compose.yaml

@@ -0,0 +1,28 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
+
+services:
+  notifiarr:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: notifiarr
+    image: golift/notifiarr
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    volumes:
+      - ./volumes/notifiarr_config/:/config/
+    labels:
+      traefik.http.routers.notifiarr.middlewares: authelia@file
+  recyclarr:
+    extends:
+      file: ../compose.base.yaml
+      service: base-service
+    container_name: recyclarr
+    image: ghcr.io/recyclarr/recyclarr
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    networks:
+      - reverse-proxy #Hack to get access to the right containers
+    volumes:
+      - ./volumes/recyclarr_config/:/config/
+networks:
+  reverse-proxy:
+    external: true

notifiarr/docker-compose.yml

@@ -1,31 +0,0 @@
-name: notifiarr
-
-services:
-  notifiarr:
-    hostname: notifiarr
-    image: golift/notifiarr
-    environment:
-      PUID: ${NASCOMPOSE_UID?}
-      PGID: ${NASCOMPOSE_GID?}
-    networks:
-      - reverse-proxy
-    volumes:
-      - ${NASCOMPOSE_SERVICES?}/notifiarr/volumes/notifiarr_config/:/config/
-    restart: unless-stopped
-    labels:
-      traefik.enable: true
-      traefik.http.routers.notifiarr.middlewares: authelia@file
-
-  recyclarr:
-    hostname: recyclarr
-    image: ghcr.io/recyclarr/recyclarr
-    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
-    networks:
-      - reverse-proxy
-    volumes:
-      - ${NASCOMPOSE_SERVICES?}/notifiarr/volumes/recyclarr_config/:/config/
-    restart: unless-stopped
-
-networks:
-  reverse-proxy:
-    external: true

photo-collector/compose.yaml

@@ -0,0 +1,82 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
+
+services:
+  immich:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: immich
+    image: ghcr.io/immich-app/immich-server:release
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    networks:
+      - smtp-server
+      - default
+    depends_on:
+      - immich_redis
+      - immich_postgres
+    environment:
+      DB_USERNAME: postgres
+      DB_PASSWORD: postgres
+      DB_DATABASE_NAME: immich
+    volumes:
+      - ${NASCOMPOSE_DATA?}/media/photos/:/usr/src/app/upload/
+    labels:
+      traefik.http.routers.immich.middlewares: authelia@file
+  immich-machine-learning:
+    extends:
+      file: ../compose.base.yaml
+      service: base-service
+    hostname: immich-machine-learning
+    image: ghcr.io/immich-app/immich-machine-learning:release
+    volumes:
+      - ./volumes/immich_ml_cache/:/cache/
+  immich_redis:
+    extends:
+      file: ../compose.base.yaml
+      service: base-service
+    hostname: redis
+    image: redis:6.2-alpine
+    healthcheck:
+      test: redis-cli ping || exit 1
+  immich_postgres:
+    extends:
+      file: ../compose.base.yaml
+      service: base-service
+    hostname: database
+    image: tensorchord/pgvecto-rs:pg14-v0.2.0
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: postgres
+      POSTGRES_DB: immich
+      POSTGRES_INITDB_ARGS: --data-checksums
+    volumes:
+      - ./volumes/immich_postgres_data/:/var/lib/postgresql/data/
+    healthcheck:
+      test: pg_isready --dbname='immich' --username='postgres' || exit 1;
+        Chksum="$$(psql --dbname='immich' --username='postgres' --tuples-only
+        --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM
+        pg_stat_database')"; echo "checksum failure count is $$Chksum"; [
+        "$$Chksum" = '0' ] || exit 1
+      interval: 5m
+      #start_interval: 30s
+      start_period: 5m
+    command:
+      - postgres
+      - -c
+      - shared_preload_libraries=vectors.so
+      - -c
+      - search_path="$$user", public, vectors
+      - -c
+      - logging_collector=on
+      - -c
+      - max_wal_size=2GB
+      - -c
+      - shared_buffers=512MB
+      - -c
+      - wal_compression=on
+networks:
+  reverse-proxy:
+    external: true
+  smtp-server:
+    external: true

photo-collector/docker-compose.yml

@@ -1,60 +0,0 @@
-name: photo-collector
-
-services:
-  immich:
-    hostname: immich
-    image: ghcr.io/immich-app/immich-server:release
-    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
-    networks:
-      - reverse-proxy
-      - default
-    depends_on:
-      - immich_redis
-      - immich_postgres
-    environment:
-      DB_USERNAME: postgres
-      DB_PASSWORD: postgres
-      DB_DATABASE_NAME: immich
-    volumes:
-      - ${NASCOMPOSE_DATA?}/media/photos/:/usr/src/app/upload/
-    restart: unless-stopped
-    labels:
-      traefik.enable: true
-      traefik.http.routers.immich.middlewares: authelia@file
-
-  immich-machine-learning:
-    hostname: immich-machine-learning
-    image: ghcr.io/immich-app/immich-machine-learning:release
-    volumes:
-      - ${NASCOMPOSE_SERVICES?}/photo-collector/volumes/immich_ml_cache/:/cache/
-    restart: unless-stopped
-
-  immich_redis:
-    hostname: redis
-    image: redis:6.2-alpine
-    healthcheck:
-      test: redis-cli ping || exit 1
-    restart: unless-stopped
-
-  immich_postgres:
-    hostname: database
-    image: tensorchord/pgvecto-rs:pg14-v0.2.0
-    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
-    environment:
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: postgres
-      POSTGRES_DB: immich
-      POSTGRES_INITDB_ARGS: '--data-checksums'
-    volumes:
-      - ${NASCOMPOSE_SERVICES?}/photo-collector/volumes/immich_postgres_data/:/var/lib/postgresql/data/
-    healthcheck:
-      test: pg_isready --dbname='immich' --username='postgres' || exit 1; Chksum="$$(psql --dbname='immich' --username='postgres' --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1
-      interval: 5m
-      #start_interval: 30s
-      start_period: 5m
-    command: ["postgres", "-c" ,"shared_preload_libraries=vectors.so", "-c", 'search_path="$$user", public, vectors', "-c", "logging_collector=on", "-c", "max_wal_size=2GB", "-c", "shared_buffers=512MB", "-c", "wal_compression=on"]
-    restart: unless-stopped
-
-networks:
-  reverse-proxy:
-    external: true

recipe-collector/compose.yaml

@@ -0,0 +1,16 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
+
+services:
+  mealie:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: mealie
+    image: ghcr.io/mealie-recipes/mealie
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    env_file: ./config/mealie.env
+    volumes:
+      - ./volumes/mealie_data/:/app/data/
+networks:
+  reverse-proxy:
+    external: true

recipe-collector/docker-compose.yml

@@ -1,22 +0,0 @@
-name: recipe-collector
-
-services:
-  mealie:
-    hostname: mealie
-    image: ghcr.io/mealie-recipes/mealie
-    networks:
-      - reverse-proxy
-    environment:
-      PUID: ${NASCOMPOSE_UID?}
-      PGID: ${NASCOMPOSE_GID?}
-    volumes:
-      - ${NASCOMPOSE_SERVICES?}/recipe-collector/volumes/mealie_data/:/app/data/
-    restart: unless-stopped
-    labels:
-      traefik.enable: true
-      # Embedded authentication
-      # traefik.http.routers.mealie.middlewares: authelia@file
-
-networks:
-  reverse-proxy:
-    external: true

reverse-proxy/compose.macvlan.yaml

@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
+
 services:
   traefik:
     environment:

reverse-proxy/compose.yaml

@@ -1,33 +1,40 @@
-name: reverse-proxy
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
 
 services:
   traefik:
-    hostname: traefik
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: traefik
     image: traefik
     # TODO: Run as non root user
     #user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
     environment:
       NASCOMPOSE_DOMAIN: ${NASCOMPOSE_DOMAIN?}
-      CF_DNS_API_TOKEN_FILE: /run/secrets/cf_dns_token
       TRAEFIK_CERTIFICATESRESOLVERS_DEFAULTRESOLVER_ACME_EMAIL: admin@${NASCOMPOSE_DOMAIN?}
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_DOMAINS_0_MAIN: '*.${NASCOMPOSE_DOMAIN?}'
-      LEGO_DISABLE_CNAME_SUPPORT: true
-    networks:
-      - reverse-proxy
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-      - ${NASCOMPOSE_SERVICES?}/reverse-proxy/volumes/traefik_acme/:/etc/traefik/acme/
-      - ${NASCOMPOSE_SERVICES?}/reverse-proxy/volumes/traefik_logs/:/var/log/traefik/
-      # Config
-      - ${NASCOMPOSE_SERVICES?}/reverse-proxy/configs/traefik.yml:/etc/traefik/traefik.yml:ro
-      - ${NASCOMPOSE_SERVICES?}/reverse-proxy/configs/dynamic:/etc/traefik/dynamic:ro
-      # Secrets
-      - ${NASCOMPOSE_SERVICES?}/reverse-proxy/secrets/cf_dns_token:/run/secrets/cf_dns_token:ro
-    restart: unless-stopped
+      - ./volumes/traefik_acme/:/etc/traefik/acme/
+      - ./volumes/traefik_logs/:/var/log/traefik/
+      - ./configs/traefik.yml:/etc/traefik/traefik.yml:ro
+      - ./configs/dynamic:/etc/traefik/dynamic:ro
+      - ./secrets/cf_dns_token:/run/secrets/cf_dns_token:ro
     labels:
-      traefik.enable: true
       traefik.http.routers.traefik.service: api@internal
       traefik.http.routers.traefik.middlewares: authelia@file
+      traefik.http.services.traefik.loadbalancer.server.port: 8081
+  endlessh:
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: endlessh
+    image: lscr.io/linuxserver/endlessh
+    environment:
+      PUID: ${NASCOMPOSE_UID?}
+      PGID: ${NASCOMPOSE_GID?}
+    labels:
+      traefik.tcp.routers.endlessh.entryPoints: ssh-tarpit
+      traefik.tcp.routers.endlessh.rule: HostSNI(`*`)
 #  crowdsec:
 #    hostname: crowdsec
 #    image: crowdsecurity/crowdsec

reverse-proxy/configs/dynamic/authelia.yml

@@ -1,19 +1,14 @@
+# yaml-language-server: $schema=https://json.schemastore.org/traefik-v2-file-provider.json
+
 http:
   middlewares:
     authelia:
       forwardAuth:
-        address: 'http://authelia:9091/api/verify?rd=https%3A%2F%2Fauthelia.{{ env `NASCOMPOSE_DOMAIN` }}%2F'
-        trustForwardHeader: true
-        authResponseHeaders:
-          - Remote-User
-          - Remote-Groups
-          - Remote-Name
-          - Remote-Email
-    authelia-basic:
-      forwardAuth:
-        address: http://authelia:9091/api/verify?auth=basic
+        address: http://authelia:9091/api/authz/forward-auth
         trustForwardHeader: true
         authResponseHeaders:
+          - Authorization
+          - Proxy-Authorization
           - Remote-User
           - Remote-Groups
           - Remote-Name

reverse-proxy/configs/dynamic/compress.yml

@@ -0,0 +1,41 @@
+# yaml-language-server: $schema=https://json.schemastore.org/traefik-v2-file-provider.json
+
+http:
+  middlewares:
+    compress:
+      compress:
+        includedContentTypes:
+          - application/atom+xml
+          - application/geo+json
+          - application/javascript
+          - application/x-javascript
+          - application/json
+          - application/ld+json
+          - application/manifest+json
+          - application/rdf+xml
+          - application/rss+xml
+          - application/vnd.ms-fontobject
+          - application/wasm
+          - application/x-web-app-manifest+json
+          - application/xhtml+xml
+          - application/xml
+          - font/eot
+          - font/otf
+          - font/ttf
+          - image/bmp
+          - image/svg+xml
+          - image/vnd.microsoft.icon
+          - image/x-icon
+          - text/cache-manifest
+          - text/calendar
+          - text/css
+          - text/html
+          - text/javascript
+          - text/markdown
+          - text/plain
+          - text/xml
+          - text/vcard
+          - text/vnd.rim.location.xloc
+          - text/vtt
+          - text/x-component
+          - text/x-cross-domain-policy

reverse-proxy/configs/dynamic/hsts.yml

@@ -1,8 +1,10 @@
+# yaml-language-server: $schema=https://json.schemastore.org/traefik-v2-file-provider.json
+
 http:
   middlewares:
     hsts:
       headers:
-        frameDeny: true
+        customFrameOptionsValue: SAMEORIGIN
         browserXssFilter: true
         stsSeconds: 31536000 # 1 year
         stsPreload: true

reverse-proxy/configs/dynamic/portainer.yml

@@ -1,11 +0,0 @@
-http:
-  #TODO: Convert to inline configuration for portainer
-  routers:
-    portainer:
-      rule: 'Host(`portainer.{{ env `NASCOMPOSE_DOMAIN` }}`)'
-      service: portainer@file
-  services:
-    portainer:
-      loadBalancer:
-        servers:
-          - url: https://{{ env `NASCOMPOSE_MACVLAN_PORTAINER_IP` }}:9443/

reverse-proxy/configs/dynamic/qbittorrent-api.yml

@@ -1,7 +0,0 @@
-http:
-  routers:
-    qbittorrent-api:
-      rule: 'Host(`qbittorrent-api.{{ env `NASCOMPOSE_DOMAIN` }}`)'
-      service: qbittorrent@docker
-      middlewares:
-        - authelia-basic@file

reverse-proxy/configs/dynamic/synology.yml

@@ -1,7 +1,9 @@
+# yaml-language-server: $schema=https://json.schemastore.org/traefik-v2-file-provider.json
+
 http:
   routers:
     synology:
-      rule: 'Host(`synology.{{ env `NASCOMPOSE_DOMAIN` }}`)'
+      rule: "Host(`synology.{{ env `NASCOMPOSE_DOMAIN` }}`)"
       service: synology@file
   services:
     synology:

reverse-proxy/configs/dynamic/traefik.yml

@@ -1,8 +0,0 @@
-http:
-  #TODO: Convert to inline configuration for traefik
-  # Allows internal services to use `http://traefik/` to use the traefik interface.
-  # Useful for tools like Heimdall which use the traefik API.
-  routers:
-    traefik-internal:
-      rule: Host(`traefik`)
-      service: api@internal

reverse-proxy/configs/traefik.yml

@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://json.schemastore.org/traefik-v2.json
+
 providers:
   docker:
     exposedByDefault: false
@@ -9,33 +11,64 @@ providers:
 serverstransport:
   insecureskipverify: true
 
-api: {}
-accessLog: {}
+api:
+  dashboard: true
+  insecure: true
+accessLog:
+  filePath: /var/log/traefik/access.log
+  format: json
+  fields:
+    defaultMode: keep
+    names:
+      StartLocal: drop
+      ClientAddr: drop
+    headers:
+      defaultMode: drop
+      names:
+        Remote-User: keep
+metrics:
+  prometheus:
+    addRoutersLabels: true
+    entryPoint: metrics
 
 certificatesResolvers:
   defaultResolver:
     acme:
       storage: /etc/traefik/acme/acme.json
-      dnsChallenge:
-        provider: cloudflare
+      tlsChallenge: {}
 
 entryPoints:
   web:
-    address: :80
+    address: :8080
     http:
       redirections:
         entryPoint:
           to: websecure
           scheme: https
+          permanent: true
   websecure:
-    address: :443
+    address: :8443
+    asDefault: true
     http:
       tls:
         certResolver: defaultResolver
       middlewares:
         - hsts@file
+        - compress@file
+    http3:
+      advertisedPort: 443
   ssh:
-    address: :22
+    address: :8022
+  ssh-tarpit:
+    address: :8222
+    transport:
+      respondingTimeouts:
+        readTimeout: 0
+        idleTimeout: 0
+  metrics:
+    address: :9982
+  traefik:
+    address: :8081
 
 global:
   sendAnonymousUsage: false

reverse-proxy/volumes/traefik_logs

@@ -0,0 +1 @@
+../../monitoring/volumes/promtail_logs/traefik

ssh-protection/docker-compose.yml

@@ -1,21 +0,0 @@
-name: ssh-protection
-
-services:
-  endlessh:
-    hostname: endlessh
-    image: lscr.io/linuxserver/endlessh
-    environment:
-      PUID: ${NASCOMPOSE_UID?}
-      PGID: ${NASCOMPOSE_GID?}
-    networks:
-      - reverse-proxy
-    restart: unless-stopped
-    labels:
-      traefik.enable: true
-      traefik.tcp.routers.endlessh.entryPoints: ssh
-      traefik.tcp.routers.endlessh.rule: HostSNI(`*`)
-      traefik.tcp.services.endlessh.loadbalancer.server.port: 2222
-
-networks:
-  reverse-proxy:
-    external: true

subtitle-collector/compose.yaml

@@ -1,25 +1,24 @@
-name: subtitle-collector
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
 
 services:
   bazarr:
-    hostname: bazarr
+    extends:
+      file: ../compose.base.yaml
+      service: exposed-service
+    container_name: bazarr
     image: lscr.io/linuxserver/bazarr
     environment:
       PUID: ${NASCOMPOSE_UID?}
       PGID: ${NASCOMPOSE_GID?}
     networks:
-      - reverse-proxy
       - movie-collector
       - tv-collector
     volumes:
-      - ${NASCOMPOSE_SERVICES?}/subtitle-collector/volumes/bazarr_config/:/config/
+      - ./volumes/bazarr_config/:/config/
       - ${NASCOMPOSE_DATA?}/media/movies/:/data/media/movies/
       - ${NASCOMPOSE_DATA?}/media/tv/:/data/media/tv/
-    restart: unless-stopped
     labels:
-      traefik.enable: true
       traefik.http.routers.bazarr.middlewares: authelia@file
-
 networks:
   reverse-proxy:
     external: true

torrents/compose.yaml

@@ -0,0 +1,116 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
+
+x-qbittorrent: &a1
+  extends:
+    file: ../compose.base.yaml
+    service: exposed-service
+  image: hotio/qbittorrent
+  environment:
+    PUID: ${NASCOMPOSE_UID?}
+    PGID: ${NASCOMPOSE_GID?}
+    VPN_ENABLED: true
+    VPN_CONF: wg0-fix
+    VPN_PROVIDER: ${TORRENT_VPN?}
+    VPN_LAN_NETWORK: 192.168.0.0/23
+    VPN_AUTO_PORT_FORWARD: true
+    VPN_KEEP_LOCAL_DNS: true
+    VPN_FIREWALL_TYPE: legacy
+  cap_add:
+    - NET_ADMIN
+  sysctls:
+    net.ipv4.conf.all.src_valid_mark: 1
+  networks:
+    - torrents
+  dns:
+    - 1.1.1.1
+    - 1.0.0.1
+x-qbitmanage: &a2
+  extends:
+    file: ../compose.base.yaml
+    service: base-service
+  image: bobokun/qbit_manage
+  user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+  environment:
+    QBT_SCHEDULE: 30
+    QBT_WIDTH: 170
+  networks:
+    - torrents
+services:
+  qbittorrent:
+    <<: *a1
+    container_name: qbittorrent
+    volumes:
+      - ./volumes/qbittorrent_config/:/config/
+      - ${NASCOMPOSE_DATA?}/torrents/:/data/torrents/
+      - ./config/99-cron-start:/etc/cont-init.d/99-cron-start:ro
+      - ./config/updateMaMIP:/etc/periodic/hourly/updateMaMIP:ro
+      - ./secrets/wg0.conf:/config/wireguard/wg0-fix.conf:ro
+    labels:
+      traefik.http.routers.qbittorrent.middlewares: authelia@file
+  qbitmanage:
+    <<: *a2
+    container_name: qbitmanage
+    volumes:
+      - ./volumes/qbitmanage_config/:/config/
+      - ./volumes/qbittorrent_config/data/BT_backup/:/torrents/:ro
+      - ${NASCOMPOSE_DATA?}/torrents/:/data/torrents/
+  cross-seed:
+    extends:
+      file: ../compose.base.yaml
+      service: base-service
+    container_name: cross-seed
+    image: crossseed/cross-seed:master
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    networks:
+      - torrents
+      #- indexer
+    dns:
+      - 1.1.1.1
+      - 1.0.0.1
+    volumes:
+      - ./volumes/cross-seed_config/:/config/
+      - ./volumes/qbittorrent_config/data/BT_backup/:/torrents/:ro
+      - ${NASCOMPOSE_DATA?}/:/data/
+    command: daemon
+  unpackerr:
+    extends:
+      file: ../compose.base.yaml
+      service: base-service
+    container_name: unpackerr
+    image: golift/unpackerr
+    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
+    networks:
+      - torrents
+    volumes:
+      - ./volumes/unpackerr_config/:/etc/unpackerr/
+      - ${NASCOMPOSE_DATA?}/torrents/completed/:/data/torrents/completed/
+  qbittorrent-seeding:
+    <<: *a1
+    container_name: qbittorrent-seeding
+    profiles:
+      - torrents-seeding
+    volumes:
+      - ./volumes/qbittorrent-seeding_config/:/config/
+      - ${NASCOMPOSE_DATA?}/torrents-seeding/:/data/torrents/
+      - ./config/99-cron-start:/etc/cont-init.d/99-cron-start:ro
+      - ./config/updateMaMIP:/etc/periodic/hourly/updateMaMIP:ro
+      - ./secrets/wg0-seeding.conf:/config/wireguard/wg0-fix.conf:ro
+    labels:
+      traefik.http.routers.qbittorrent-seeding.middlewares: authelia@file
+  qbitmanage-seeding:
+    <<: *a2
+    container_name: qbitmanage-seeding
+    profiles:
+      - torrents-seeding
+    volumes:
+      - ./volumes/qbitmanage-seeding_config/:/config/
+      - ./volumes/qbittorrent-seeding_config/data/BT_backup/:/torrents/:ro
+      - ${NASCOMPOSE_DATA?}/torrents-seeding/:/data/torrents/
+networks:
+  torrents:
+    name: torrents
+  reverse-proxy:
+    external: true
+
+#  indexer:
+#    external: true

torrents/config/98-gateway-setup

@@ -1,11 +0,0 @@
-#!/command/with-contenv bash
-echo "Allow DNS resolution locally"
-iptables -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
-iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-
-echo "Allow docker networks to connect"
-docker_cirds=$(ip -o -4 route show proto kernel | awk '{print $1}')
-for cidr in $docker_cirds; do
-    iptables -A INPUT -s "${cidr}" -d "${cidr}" -j ACCEPT
-    iptables -A OUTPUT -s "${cidr}" -d "${cidr}" -j ACCEPT
-done

torrents/config/99-cron-start

@@ -1,4 +1,3 @@
 #!/command/with-contenv bash
 
-(crontab -l ; echo "*       *       *       *       *       run-parts /etc/periodic/1min") | sort - | uniq - | crontab -
 crond

torrents/docker-compose.yml

@@ -1,102 +0,0 @@
-name: torrents${TORRENT_SUFFIX?TORRENT_SUFFIX variable required}
-
-services:
-  qbittorrent:
-    # Set hostname to "SERVICE-main" if not suffix is provided. This avoids collisions with other instances using the service name as hostname (default on compose)
-    hostname: qbittorrent${TORRENT_SUFFIX:--main}
-    image: hotio/qbittorrent
-    environment:
-      PUID: ${NASCOMPOSE_UID?}
-      PGID: ${NASCOMPOSE_GID?}
-      VPN_ENABLED: true
-      VPN_CONF: wg0-fix
-      VPN_PROVIDER: ${TORRENT_VPN?}
-      VPN_LAN_NETWORK: 192.168.0.0/23
-      VPN_AUTO_PORT_FORWARD: true
-      VPN_KEEP_LOCAL_DNS: true
-      VPN_FIREWALL_TYPE: legacy
-    cap_add:
-      - NET_ADMIN
-    sysctls:
-      net.ipv4.conf.all.src_valid_mark: 1
-    networks:
-      - reverse-proxy
-      - torrents
-    dns:
-      - 1.1.1.1
-      - 1.0.0.1
-    volumes:
-      - ${NASCOMPOSE_SERVICES?}/torrents${TORRENT_SUFFIX?}/volumes/qbittorrent_config/:/config/
-      - ${NASCOMPOSE_DATA?}/torrents${TORRENT_SUFFIX?}/:/data/torrents/
-      # Configuration
-      - ${NASCOMPOSE_SERVICES?}/torrents${TORRENT_SUFFIX?}/config/98-gateway-setup:/etc/cont-init.d/98-gateway-setup:ro
-      - ${NASCOMPOSE_SERVICES?}/torrents${TORRENT_SUFFIX?}/config/99-cron-start:/etc/cont-init.d/99-cron-start:ro
-      - ${NASCOMPOSE_SERVICES?}/torrents${TORRENT_SUFFIX?}/config/updateMaMIP:/etc/periodic/hourly/updateMaMIP:ro
-      # Secrets
-      - ${NASCOMPOSE_SERVICES?}/torrents${TORRENT_SUFFIX?}/secrets/wg0.conf:/config/wireguard/wg0-fix.conf:ro
-    restart: unless-stopped
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.qbittorrent${TORRENT_SUFFIX?}.rule=Host(`qbittorrent${TORRENT_SUFFIX?}.${NASCOMPOSE_DOMAIN?}`)
-      - traefik.http.routers.qbittorrent${TORRENT_SUFFIX?}.middlewares=authelia@file
-      # API access for nzb360
-      - traefik.http.routers.qbittorrent${TORRENT_SUFFIX?}-api.rule=Host(`qbittorrent${TORRENT_SUFFIX?}-api.${NASCOMPOSE_DOMAIN?}`)
-      - traefik.http.routers.qbittorrent${TORRENT_SUFFIX?}-api.middlewares=authelia-basic@file
-
-  cross-seed:
-    # Set hostname to "SERVICE-main" if not suffix is provided. This avoids collisions with other instances using the service name as hostname (default on compose)
-    hostname: cross-seed${TORRENT_SUFFIX:--main}
-    image: crossseed/cross-seed:master
-    profiles: [ "torrents${TORRENT_SUFFIX?}-xseed" ]
-    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
-    networks:
-      - torrents
-      #- indexer
-    dns:
-      - 1.1.1.1
-      - 1.0.0.1
-    volumes:
-      - ${NASCOMPOSE_SERVICES?}/torrents${TORRENT_SUFFIX?}/volumes/cross-seed_config/:/config/
-      - ${NASCOMPOSE_SERVICES?}/torrents${TORRENT_SUFFIX?}/volumes/qbittorrent_config/data/BT_backup/:/torrents/:ro
-      - ${NASCOMPOSE_DATA?}/:/data/
-    command: daemon
-    restart: unless-stopped
-
-  qbitmanage:
-    # Set hostname to "SERVICE-main" if not suffix is provided. This avoids collisions with other instances using the service name as hostname (default on compose)
-    hostname: qbitmanage${TORRENT_SUFFIX:--main}
-    image: bobokun/qbit_manage
-    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
-    environment:
-      QBT_SCHEDULE: 30
-      QBT_WIDTH: 170
-    networks:
-      - torrents
-    volumes:
-      - ${NASCOMPOSE_SERVICES?}/torrents${TORRENT_SUFFIX?}/volumes/qbitmanage_config/:/config/
-      - ${NASCOMPOSE_SERVICES?}/torrents${TORRENT_SUFFIX?}/volumes/qbittorrent_config/data/BT_backup/:/torrents/:ro
-      - ${NASCOMPOSE_DATA?}/torrents${TORRENT_SUFFIX?}/:/data/torrents/
-    restart: unless-stopped
-
-  unpackerr:
-    # Set hostname to "SERVICE-main" if not suffix is provided. This avoids collisions with other instances using the service name as hostname (default on compose)
-    hostname: unpackerr{TORRENT_SUFFIX:--main}
-    image: golift/unpackerr
-    profiles: [ "torrents${TORRENT_SUFFIX?}-unpackerr" ]
-    user: ${NASCOMPOSE_UID?}:${NASCOMPOSE_GID?}
-    networks:
-      - torrents
-    volumes:
-      - ${NASCOMPOSE_SERVICES?}/torrents${TORRENT_SUFFIX?}/volumes/unpackerr_config/:/etc/unpackerr/
-      - ${NASCOMPOSE_DATA?}/torrents${TORRENT_SUFFIX?}/completed/:/data/torrents/completed/
-    restart: unless-stopped
-
-networks:
-  torrents:
-    name: torrents${TORRENT_SUFFIX?}
-
-  reverse-proxy:
-    external: true
-
-#  indexer:
-#    external: true