radicale

2025-08-02 18:21:44 -06:00 · 2025-08-02 18:21:44 -06:00 · 100e60785a
commit 100e60785a
parent 07daec5af2
10 changed files with 277 additions and 9 deletions
--- a/clink/docker-compose.yml
+++ b/clink/docker-compose.yml
@ -16,7 +16,7 @@ services:
      - net_admin
      - sys_module
    configs:
-      - source: serve-config
+      - source: ts-config
        target: /ts/serve.json
  clink:
    build: .
@ -34,7 +34,7 @@ volumes:
  clink-data:
  tailscale:
 configs:
-  serve-config:
+  ts-config:
    content: |
      {
        "TCP": {
--- a/immich/docker-compose.yml
+++ b/immich/docker-compose.yml
@ -27,7 +27,7 @@ services:
      - net_admin
      - sys_module
    configs:
-      - source: serve-config
+      - source: ts-config
        target: /ts/serve.json
  immich-server:
    container_name: immich_server
@ -94,7 +94,7 @@ volumes:
  model-cache:
  tailscale:
 configs:
-  serve-config:
+  ts-config:
    content: |
      {
        "TCP": {
--- a/mealie/docker-compose.yml
+++ b/mealie/docker-compose.yml
@ -16,7 +16,7 @@ services:
      - net_admin
      - sys_module
    configs:
-      - source: serve-config
+      - source: ts-config
        target: /ts/serve.json
  mealie:
    image: ghcr.io/mealie-recipes/mealie:v1.0.0
@ -33,7 +33,7 @@ volumes:
  mealie-data:
  tailscale:
 configs:
-  serve-config:
+  ts-config:
    content: |
      {
        "TCP": {
@ -51,6 +51,6 @@ configs:
          }
        },
        "AllowFunnel": {
-          "$${TS_CERT_DOMAIN}:443": false
+          "$${TS_CERT_DOMAIN}:443": ${TS_ALLOW_FUNNEL:-false}
        }
      }
--- a/nextcloud/Caddy.Dockerfile
+++ b/nextcloud/Caddy.Dockerfile
@ -0,0 +1,5 @@
+FROM caddy:2.9.1-builder-alpine AS builder
+RUN xcaddy build --with github.com/mholt/caddy-l4@87e3e5e2c7f986b34c0df373a5799670d7b8ca03
+
+FROM caddy:2.9.1-alpine
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
--- a/nextcloud/docker-compose.yml
+++ b/nextcloud/docker-compose.yml
@ -0,0 +1,59 @@
+services:
+  ts-nextcloud:
+    image: tailscale/tailscale:latest
+    container_name: ts-nextcloud
+    restart: unless-stopped
+    hostname: ${TS_HOSTNAME}
+    environment:
+      - TS_AUTHKEY
+      - TS_EXTRA_ARGS
+      - TS_SERVE_CONFIG=/ts/serve.json
+    volumes:
+      - tailscale:/var/lib/tailscale
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - net_admin
+      - sys_module
+    configs:
+      - source: ts-config
+        target: /ts/serve.json
+
+  nextcloud-aio-mastercontainer:
+    image: ghcr.io/nextcloud-releases/all-in-one:latest
+    container_name: nextcloud-aio-mastercontainer
+    restart: always
+    init: true
+    environment:
+      APACHE_PORT: 11000
+      APACHE_IP_BINDING: 0.0.0.0
+      APACHE_ADDITIONAL_NETWORK: ""
+      SKIP_DOMAIN_VALIDATION: "false"
+    volumes:
+      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    ports:
+      - "8080:8080"
+
+volumes:
+  nextcloud_aio_mastercontainer:
+    name: nextcloud_aio_mastercontainer
+  tailscale:
+
+configs:
+  ts-config:
+    content: |
+      {
+        "TCP": {
+          "80": {
+            "TCPForward": "127.0.0.1:11000"
+          },
+          "443": {
+            "TCPForward": "127.0.0.1:11000"
+          }
+        },
+        "AllowFunnel": {
+          "${TS_CERT_DOMAIN}:80": false,
+          "${TS_CERT_DOMAIN}:443": false
+        }
+      }
--- a/nextcloud/docker-compose.yml.checkpoint
+++ b/nextcloud/docker-compose.yml.checkpoint
@ -0,0 +1,116 @@
+services:
+  ts-nextcloud:
+    image: tailscale/tailscale:latest
+    container_name: ts-nextcloud
+    restart: unless-stopped
+    hostname: ${TS_HOSTNAME}
+    environment:
+      - TS_AUTHKEY
+      - TS_EXTRA_ARGS
+      - TS_SERVE_CONFIG=/ts/serve.json
+    volumes:
+      - tailscale:/var/lib/tailscale
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - net_admin
+      - sys_module
+    configs:
+      - source: ts-config
+        target: /ts/serve.json
+  caddy:
+    build:
+      context: .
+      dockerfile: Caddy.Dockerfile
+    restart: always
+    #ports:
+    #  - "80:80"
+    #  - "443:443"
+    volumes:
+      - caddy_certs:/certs
+      - caddy_data:/data
+      - caddy_config:/config
+      #- tailscale_sock:/var/run/tailscale:ro
+    configs:
+      - source: caddy-config
+        target: /etc/caddy/Caddyfile
+    network_mode: service:ts-nextcloud
+
+  nextcloud-aio-mastercontainer:
+    image: ghcr.io/nextcloud-releases/all-in-one:latest
+    container_name: nextcloud-aio-mastercontainer
+    restart: always
+    init: true
+    environment:
+      APACHE_PORT: 11000
+      APACHE_IP_BINDING: 0.0.0.0
+      APACHE_ADDITIONAL_NETWORK: ""
+      SKIP_DOMAIN_VALIDATION: "false"
+    volumes:
+      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    expose:
+      - "8080"
+
+volumes:
+  nextcloud_aio_mastercontainer:
+    name: nextcloud_aio_mastercontainer
+  caddy_certs:
+  caddy_data:
+  caddy_config:
+  tailscale:
+
+configs:
+  caddy-config:
+    content: |
+      {
+          layer4 {
+              127.0.0.1:3478 {
+                  route {
+                      proxy {
+                          upstream nextcloud-aio-talk:3478
+                      }
+                  }
+              }
+              127.0.0.1:3479 {
+                  route {
+                      proxy {
+                          upstream nextcloud-aio-talk:3479
+                      }
+                  }
+              }
+          }
+      }
+      https://${NC_DOMAIN} {
+          reverse_proxy nextcloud-aio-apache:11000 {
+              header_up X-Forwarded-Proto "https"
+              header_up Host {host}
+          }
+      }
+      http://{$NC_DOMAIN} {
+          reverse_proxy nextcloud-aio-apache:11000 {
+              header_up X-Forwarded-Proto "http"
+              header_up Host {host}
+          }
+      }
+  ts-config:
+    content: |
+      {
+        "TCP": {
+          "443": {
+            "HTTPS": true
+          }
+        },
+        "Web": {
+          "$${TS_CERT_DOMAIN}:443": {
+            "Handlers": {
+              "/": {
+                "Proxy": "http://127.0.0.1:11000"
+              }
+            }
+          }
+        },
+        "AllowFunnel": {
+          "$${TS_CERT_DOMAIN}:443": ${TS_ALLOW_FUNNEL:-false}
+        }
+      }
--- a/nextcloud/example.env
+++ b/nextcloud/example.env
@ -0,0 +1,5 @@
+TS_HOSTNAME=nextcloud
+TS_AUTHKEY=tskey-client-nnn
+TS_EXTRA_ARGS=--advertise-tags=tag:container
+TS_ALLOW_FUNNEL=false
+NC_DOMAIN=nextcloud.your-tailnet.ts.net
--- a/pacebin/docker-compose.yml
+++ b/pacebin/docker-compose.yml
@ -16,7 +16,7 @@ services:
      - net_admin
      - sys_module
    configs:
-      - source: serve-config
+      - source: ts-config
        target: /ts/serve.json
  pacebin:
    build: .
@ -34,7 +34,7 @@ volumes:
  pacebin-data:
  tailscale:
 configs:
-  serve-config:
+  ts-config:
    content: |
      {
        "TCP": {
--- a/radicale/docker-compose.yml
+++ b/radicale/docker-compose.yml
@ -0,0 +1,77 @@
+# Can be enhanced with an additional compose file
+# See also https://docs.docker.com/compose/production/#modify-your-compose-file-for-production
+
+services:
+  ts-radicale:
+    image: tailscale/tailscale:latest
+    container_name: ts-radicale
+    restart: unless-stopped
+    hostname: ${TS_HOSTNAME}
+    environment:
+      - TS_AUTHKEY
+      - TS_EXTRA_ARGS
+      - TS_SERVE_CONFIG=/ts/serve.json
+    volumes:
+      - tailscale:/var/lib/tailscale
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - net_admin
+      - sys_module
+    configs:
+      - source: ts-config
+        target: /ts/serve.json
+  radicale:
+    image: tomsquest/docker-radicale
+    container_name: radicale
+    network_mode: service:ts-radicale
+    #ports:
+    #  - 127.0.0.1:5232:5232
+    init: true
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETUID
+      - SETGID
+      - CHOWN
+      - KILL
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+          pids: 50
+    healthcheck:
+      test: curl -f http://127.0.0.1:5232 || exit 1
+      interval: 30s
+      retries: 3
+    restart: unless-stopped
+    volumes:
+      - ${RADICALE_DATA_DIR}:/data
+
+volumes:
+  tailscale:
+configs:
+  ts-config:
+    content: |
+      {
+        "TCP": {
+          "443": {
+            "HTTPS": true
+          }
+        },
+        "Web": {
+          "$${TS_CERT_DOMAIN}:443": {
+            "Handlers": {
+              "/": {
+                "Proxy": "http://127.0.0.1:5232"
+              }
+            }
+          }
+        },
+        "AllowFunnel": {
+          "$${TS_CERT_DOMAIN}:443": ${TS_ALLOW_FUNNEL:-false}
+        }
+      }
--- a/radicale/example.env
+++ b/radicale/example.env
@ -0,0 +1,6 @@
+TS_HOSTNAME=radicale
+TS_AUTHKEY=tskey-client-nnn-nnn
+TS_EXTRA_ARGS=--advertise-tags=tag:container
+TS_ALLOW_FUNNEL=false
+BASE_DATA_DIR=.
+RADICALE_DATA_DIR=${BASE_DATA_DIR}/radicale-data