Fijxu/docker-compose-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

merge into: Fijxu:master
Branches Tags
Fijxu:master
Fijxu:proxy-server
...
pull from: Fijxu:proxy-server
Branches Tags
Fijxu:proxy-server
Fijxu:master

No commits in common. "master" and "proxy-server" have entirely different histories.
master ... proxy-serv

35 changed files with 567 additions and 1059 deletions
Show stats Expand all files Collapse all files

44
.common.env.example Normal file
View file

@ -0,0 +1,44 @@
# Docker images tags
COMPANION_TAG="latest"
HAPROXY_TAG="3.0"
NGINX_TAG="1.27.4"
YTPROXY_TAG="latest"
GLUETUN_TAG="latest"
# Reverse proxy
REVERSEPROXY_PUBLIC_PORT=443
REVERSEPROXY_METRICS_PORT=10000
# invidious-companion
SERVER_MAX_DASH_RESOLUTION=1080
VERIFY_REQUESTS=true
PORT=8081
SERVER_SECRET_KEY=""
SERVER_ENCRYPT_QUERY_PARAMS=true
PO_TOKEN_CHECK=true
JOBS_YOUTUBESESSION_FREQUENCY="*/5 * * * *"
MAX_PROXY_RETIRES=2
SERVER_ENABLE_METRICS=true
SERVER_DISABLE_LOGS=true
SERVER_TRACK_UNKNOWN_INNERTUBE_ERRORS=true
# ytproxy
YTPROXY_PORT=8080
# Has to be the same as SERVER_SECRET_KEY
YTPROXY_SECRET_KEY=""
YTPROXY_BLOCK_CHECKER=false
# Gluetun
DOT_PROVIDERS=google
HTTPPROXY=on
VPN_TYPE=wireguard
# Useless
BLOCK_MALICIOUS=off
# Useless
BLOCK_SURVEILLANCE=off
# Useless
BLOCK_ADS=off
# Unbound is installed on most servers
DNS_KEEP_NAMESERVER=on
DOT=on
UPDATER_PERIOD=12h

13
.env.example Normal file
View file

@ -0,0 +1,13 @@
# Reverse proxy
COMPANION_HOST=""
EXVPP_HOST=""
# Gluetun
UPDATER_VPN_SERVICE_PROVIDERS=
VPN_SERVICE_PROVIDER=
WIREGUARD_PRIVATE_KEY=
#SERVER_HOSTNAMES=""
#SERVER_CITIES=""
SERVER_COUNTRIES=""
ISP=""
WIREGUARD_ADDRESSES=

47
breezewiki/breezewiki.yml
View file

@ -1,47 +0,0 @@
# Save the output of this file and use kubectl create -f to import
# it into Kubernetes.
#
# Created with podman-5.4.0
# NOTE: If you generated this yaml from an unprivileged and rootless podman container on an SELinux
# enabled system, check the podman generate kube man page for steps to follow to ensure that your pod/container
# has the right permissions to access the volumes added.
apiVersion: v1
kind: ConfigMap
metadata:
name: breezewiki-config
data:
config.ini: |
canonical_origin = "breezewiki.nadeko.net"
debug = false
port = 10416
strict_proxy = true
---
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2025-02-27T16:49:02Z"
labels:
app: breezewiki-pod
name: breezewiki-pod
spec:
volumes:
- name: config
configMap:
name: breezewiki-config
containers:
- image: quay.io/pussthecatorg/breezewiki:latest
name: breezewiki
ports:
- containerPort: 10416
hostIP: 127.0.0.1
hostPort: 10007
resources:
limits:
memory: 512Mi
volumeMounts:
- mountPath: /app/config.ini
subPath: config.ini
name: config
restartPolicy: Always

4
breezewiki/config.ini
View file

@ -1,4 +0,0 @@
canonical_origin = "breezewiki.nadeko.net"
debug = false
port = 10416
strict_proxy = true

11
breezewiki/docker-compose.yml
View file

@ -1,11 +0,0 @@
services:
breezewiki:
container_name: breezewiki
image: quay.io/pussthecatorg/breezewiki:latest
restart: always
mem_limit: 512mb
ports:
- "127.0.0.1:10007:10416" # Replace with "10416:10416" if you don't use a reverse proxy
volumes:
- "./config.ini:/app/config.ini"

59
docker-compose-nginx.yml Normal file
View file

@ -0,0 +1,59 @@
x-common-elements: &common-elements
restart: always
env_file:
- path: ./.common.env
- path: ./.env
services:
# NGINX
webserver:
image: git.nadeko.net/fijxu/nginx-ktls:${NGINX_TAG}
<<: *common-elements
networks:
proxy-server:
ipv4_address: 172.50.0.2
volumes:
- ./nginx.conf:/nginx.conf.template
- ./key.key:/certs/cert.pem.key
- ./fullchain.pem:/certs/cert.pem
- videoplayback_proxy:/tmp
ports:
- "${REVERSEPROXY_PUBLIC_PORT}:443/tcp"
labels:
- "com.centurylinklabs.watchtower.enable=true"
http3-ytproxy:
<<: *common-elements
extends:
file: ./proxy-components.yml
service: http3-ytproxy
companion:
<<: *common-elements
extends:
file: ./proxy-components.yml
service: companion
gluetun:
<<: *common-elements
extends:
file: ./proxy-components.yml
service: gluetun
watchtower:
<<: *common-elements
extends:
file: ./proxy-components.yml
service: watchtower
volumes:
videoplayback_proxy:
networks:
proxy-server:
driver: bridge
ipam:
driver: default
config:
- subnet: 172.50.0.0/24
gateway: 172.50.0.1

76
docker-compose.yml Normal file
View file

@ -0,0 +1,76 @@
x-common-elements: &common-elements
restart: always
env_file:
- path: ./.common.env
- path: ./.env
services:
# HAProxy
webserver:
# https://github.com/iuridiniz/haproxy-quic-docker
# Image to support QUIC (altrough I don't use QUIC anymore becuase it's
# useless for video streaming, for a reason Netflix doesn't even use it)
image: iuridiniz/haproxy:${HAPROXY_TAG}
<<: *common-elements
networks:
proxy-server:
ipv4_address: 172.50.0.2
volumes:
- ./haproxy.cfg:/etc/haproxy/haproxy.cfg
- ./denylist.txt:/etc/haproxy/denylist.txt
- ./key.key:/certs/cert.pem.key
- ./fullchain.pem:/certs/cert.pem
- videoplayback_proxy:/tmp
ports:
- "${REVERSEPROXY_PUBLIC_PORT}:443/tcp"
- "${REVERSEPROXY_METRICS_PORT}:10000/tcp"
i2p:
image: ghcr.io/purplei2p/i2pd:latest
<<: *common-elements
networks:
proxy-server:
ipv4_address: 172.50.0.5
# Temporary root user until I make my own I2Pd image
user: 0:0
volumes:
- ./i2pd_data:/home/i2pd/data
ports:
- "127.0.0.1:7070:7070/tcp"
- "51023:51023"
ytproxy:
<<: *common-elements
extends:
file: ./proxy-components.yml
service: ytproxy
companion:
<<: *common-elements
extends:
file: ./proxy-components.yml
service: companion
gluetun:
<<: *common-elements
extends:
file: ./proxy-components.yml
service: gluetun
watchtower:
<<: *common-elements
extends:
file: ./proxy-components.yml
service: watchtower
volumes:
videoplayback_proxy:
networks:
proxy-server:
driver: bridge
ipam:
driver: default
config:
- subnet: 172.50.0.0/24
gateway: 172.50.0.1

29
forgejo-runner/docker-compose.yml
View file

@ -1,29 +0,0 @@
services:
docker-in-docker:
image: docker:dind
container_name: 'forgejo-dind'
privileged: 'true'
command: ['dockerd', '-H', 'tcp://0.0.0.0:2375', '--tls=false']
restart: 'unless-stopped'
forgejo-runner:
image: 'code.forgejo.org/forgejo/runner:3.5.1'
container_name: 'forgejo-runner'
links:
- docker-in-docker
depends_on:
docker-in-docker:
condition: service_started
# user: 1001:1001
environment:
DOCKER_HOST: tcp://docker-in-docker:2375
volumes:
- ./data:/data
- /var/run/docker.sock:/var/run/docker.sock
restart: 'unless-stopped'
privileged: 'true'
command: '/bin/sh -c "sleep 5; forgejo-runner daemon"'
# command: '/bin/sh -c "while : ; do sleep 1 ; done ;"'
volumes:
forgejo-runner-data:

69
haproxy.cfg Normal file
View file

@ -0,0 +1,69 @@
# Good info about TLS speeds: https://istlsfastyet.com/
global
# This because haproxy is dumb and likes to use the maxconnection from the kernel and that is super mega huge making haproxy oom
# maxconn 32768
# Tied to net.core.somaxconn kernel parameter
resolvers docker
# Without this, if a container crashes, haproxy will not be
# able to find where the recreated container is.
# Ref: https://stackoverflow.com/a/42135283
nameserver dns1 127.0.0.11:53
defaults
mode http
timeout client 30s
timeout connect 5s
timeout server 30s
http-reuse safe
option splice-auto
option tcp-smart-connect
# Prometheus for graphs
frontend prometheus
bind *:10000
mode http
http-request use-service prometheus-exporter if { path /metrics }
no log
frontend www
bind *:80
# bind *:443 ssl crt /certs/cert.pem alpn h2,http/1.1 allow-0rtt
# Restrict to HTTP/1.1 since HTTP/2 is not useful for DASH video streaming.
# HTTP/1.1 also uses a fairly low ammount of CPU compared to HTTP/2.
# HTTP/2 is useful for requesting a lot of files at the same time, but
# for DASH video streaming you download the video in a synchronously way,
# making HTTP/2 useless for it.
bind *:443 ssl crt /certs/cert.pem alpn http/1.1
# https://docs.haproxy.org/3.0/configuration.html#4.2-tcp-request%20connection
# https://docs.haproxy.org/3.0/configuration.html#4.2-http-request
http-request deny if { src -f /etc/haproxy/denylist.txt }
filter bwlim-out video-streaming default-limit 5000k default-period 1s
# QUIC is not really needed for video streaming and it uses a lot of CPU.
# Ref: https://news.ycombinator.com/item?id=23585120
#bind quic4@:443 ssl crt /certs/cert.pem alpn h3 allow-0rtt
#http-after-response add-header alt-svc 'h3=":443"; ma=900'
# HAPROXY_EXVPP_HOST: The external video playback host
# acl c hdr(host) -i "$COMPANION_HOST"
# acl cc hdr(host) -i "$COMPANION_HOST":8443
# acl h hdr(host) -i "$EXVPP_HOST"
# acl hh hdr(host) -i "$EXVPP_HOST":8443
http-request set-bandwidth-limit video-streaming
acl health_check path /health
http-request return status 200 if health_check
use_backend http3-ytproxy if { path_beg /videoplayback } || { path /metrics_ytproxy }
default_backend companion
backend http3-ytproxy
http-request set-path /metrics if { path /metrics_ytproxy }
server s1 unix@/tmp/http-ytproxy.sock
backend companion
server s1 gluetun:8081 check resolvers docker init-addr libc,none

46
i2pd_data/i2pd.conf Normal file
View file

@ -0,0 +1,46 @@
log = stdout
loglevel = error
ipv4 = true
ipv6 = false
port = 51023
bandwidth = X
share = 5
[ntcp2]
enabled = true
published = true
[ssu2]
enabled = true
published = true
[http]
enabled = true
address = 0.0.0.0
port = 7070
# To prevent "host mismatch" when opening the WebUI
strictheaders = false
[httpproxy]
enabled = false
address = 0.0.0.0
port = 4444
[socksproxy]
enabled = false
address = 0.0.0.0
port = 4447
[sam]
enabled = false
address = 0.0.0.0
port = 7656
[upnp]
enabled = false
[reseed]
verify = true

5
i2pd_data/tunnels.conf Normal file
View file

@ -0,0 +1,5 @@
[companion]
type=http
host=172.50.0.2
port=80
keys=key.dat

0
invidious/README.md
View file

4
invidious/invidious-all/.env-invidious.example
View file

@ -1,4 +0,0 @@
#INVIDIOUS_BANNER=""
# Fill those 2 environment variables
INVIDIOUS_INVIDIOUS_COMPANION_KEY=""
INVIDIOUS_HMAC_KEY=""

10
invidious/invidious-all/.env-pgbouncer.example
View file

@ -1,10 +0,0 @@
# PG_BOUNCER
# Use `/var/run/postgresql/` if you are passing a local
# postgresql database running on the host machine
# Otherwise, you will need to figure it out how to
# configure this if you want to run a separate
# postgresql database only for invidious.
DB_HOST=/var/run/postgresql/
DB_USER=""
DB_PASSWORD=""
DB_NAME=""

398
invidious/invidious-all/botPolicies.json.example
View file

@ -1,398 +0,0 @@
{
"bots": [
{
"name": "amazonbot",
"user_agent_regex": "Amazonbot",
"action": "DENY"
},
{
"name": "googlebot",
"user_agent_regex": "\\+http\\://www\\.google\\.com/bot\\.html",
"action": "ALLOW",
"remote_addresses": [
"2001:4860:4801:10::/64",
"2001:4860:4801:11::/64",
"2001:4860:4801:12::/64",
"2001:4860:4801:13::/64",
"2001:4860:4801:14::/64",
"2001:4860:4801:15::/64",
"2001:4860:4801:16::/64",
"2001:4860:4801:17::/64",
"2001:4860:4801:18::/64",
"2001:4860:4801:19::/64",
"2001:4860:4801:1a::/64",
"2001:4860:4801:1b::/64",
"2001:4860:4801:1c::/64",
"2001:4860:4801:1d::/64",
"2001:4860:4801:1e::/64",
"2001:4860:4801:1f::/64",
"2001:4860:4801:20::/64",
"2001:4860:4801:21::/64",
"2001:4860:4801:22::/64",
"2001:4860:4801:23::/64",
"2001:4860:4801:24::/64",
"2001:4860:4801:25::/64",
"2001:4860:4801:26::/64",
"2001:4860:4801:27::/64",
"2001:4860:4801:28::/64",
"2001:4860:4801:29::/64",
"2001:4860:4801:2::/64",
"2001:4860:4801:2a::/64",
"2001:4860:4801:2b::/64",
"2001:4860:4801:2c::/64",
"2001:4860:4801:2d::/64",
"2001:4860:4801:2e::/64",
"2001:4860:4801:2f::/64",
"2001:4860:4801:31::/64",
"2001:4860:4801:32::/64",
"2001:4860:4801:33::/64",
"2001:4860:4801:34::/64",
"2001:4860:4801:35::/64",
"2001:4860:4801:36::/64",
"2001:4860:4801:37::/64",
"2001:4860:4801:38::/64",
"2001:4860:4801:39::/64",
"2001:4860:4801:3a::/64",
"2001:4860:4801:3b::/64",
"2001:4860:4801:3c::/64",
"2001:4860:4801:3d::/64",
"2001:4860:4801:3e::/64",
"2001:4860:4801:40::/64",
"2001:4860:4801:41::/64",
"2001:4860:4801:42::/64",
"2001:4860:4801:43::/64",
"2001:4860:4801:44::/64",
"2001:4860:4801:45::/64",
"2001:4860:4801:46::/64",
"2001:4860:4801:47::/64",
"2001:4860:4801:48::/64",
"2001:4860:4801:49::/64",
"2001:4860:4801:4a::/64",
"2001:4860:4801:4b::/64",
"2001:4860:4801:4c::/64",
"2001:4860:4801:50::/64",
"2001:4860:4801:51::/64",
"2001:4860:4801:52::/64",
"2001:4860:4801:53::/64",
"2001:4860:4801:54::/64",
"2001:4860:4801:55::/64",
"2001:4860:4801:56::/64",
"2001:4860:4801:60::/64",
"2001:4860:4801:61::/64",
"2001:4860:4801:62::/64",
"2001:4860:4801:63::/64",
"2001:4860:4801:64::/64",
"2001:4860:4801:65::/64",
"2001:4860:4801:66::/64",
"2001:4860:4801:67::/64",
"2001:4860:4801:68::/64",
"2001:4860:4801:69::/64",
"2001:4860:4801:6a::/64",
"2001:4860:4801:6b::/64",
"2001:4860:4801:6c::/64",
"2001:4860:4801:6d::/64",
"2001:4860:4801:6e::/64",
"2001:4860:4801:6f::/64",
"2001:4860:4801:70::/64",
"2001:4860:4801:71::/64",
"2001:4860:4801:72::/64",
"2001:4860:4801:73::/64",
"2001:4860:4801:74::/64",
"2001:4860:4801:75::/64",
"2001:4860:4801:76::/64",
"2001:4860:4801:77::/64",
"2001:4860:4801:78::/64",
"2001:4860:4801:79::/64",
"2001:4860:4801:80::/64",
"2001:4860:4801:81::/64",
"2001:4860:4801:82::/64",
"2001:4860:4801:83::/64",
"2001:4860:4801:84::/64",
"2001:4860:4801:85::/64",
"2001:4860:4801:86::/64",
"2001:4860:4801:87::/64",
"2001:4860:4801:88::/64",
"2001:4860:4801:90::/64",
"2001:4860:4801:91::/64",
"2001:4860:4801:92::/64",
"2001:4860:4801:93::/64",
"2001:4860:4801:94::/64",
"2001:4860:4801:95::/64",
"2001:4860:4801:96::/64",
"2001:4860:4801:a0::/64",
"2001:4860:4801:a1::/64",
"2001:4860:4801:a2::/64",
"2001:4860:4801:a3::/64",
"2001:4860:4801:a4::/64",
"2001:4860:4801:a5::/64",
"2001:4860:4801:c::/64",
"2001:4860:4801:f::/64",
"192.178.5.0/27",
"192.178.6.0/27",
"192.178.6.128/27",
"192.178.6.160/27",
"192.178.6.192/27",
"192.178.6.32/27",
"192.178.6.64/27",
"192.178.6.96/27",
"34.100.182.96/28",
"34.101.50.144/28",
"34.118.254.0/28",
"34.118.66.0/28",
"34.126.178.96/28",
"34.146.150.144/28",
"34.147.110.144/28",
"34.151.74.144/28",
"34.152.50.64/28",
"34.154.114.144/28",
"34.155.98.32/28",
"34.165.18.176/28",
"34.175.160.64/28",
"34.176.130.16/28",
"34.22.85.0/27",
"34.64.82.64/28",
"34.65.242.112/28",
"34.80.50.80/28",
"34.88.194.0/28",
"34.89.10.80/28",
"34.89.198.80/28",
"34.96.162.48/28",
"35.247.243.240/28",
"66.249.64.0/27",
"66.249.64.128/27",
"66.249.64.160/27",
"66.249.64.224/27",
"66.249.64.32/27",
"66.249.64.64/27",
"66.249.64.96/27",
"66.249.65.0/27",
"66.249.65.128/27",
"66.249.65.160/27",
"66.249.65.192/27",
"66.249.65.224/27",
"66.249.65.32/27",
"66.249.65.64/27",
"66.249.65.96/27",
"66.249.66.0/27",
"66.249.66.128/27",
"66.249.66.160/27",
"66.249.66.192/27",
"66.249.66.224/27",
"66.249.66.32/27",
"66.249.66.64/27",
"66.249.66.96/27",
"66.249.68.0/27",
"66.249.68.128/27",
"66.249.68.32/27",
"66.249.68.64/27",
"66.249.68.96/27",
"66.249.69.0/27",
"66.249.69.128/27",
"66.249.69.160/27",
"66.249.69.192/27",
"66.249.69.224/27",
"66.249.69.32/27",
"66.249.69.64/27",
"66.249.69.96/27",
"66.249.70.0/27",
"66.249.70.128/27",
"66.249.70.160/27",
"66.249.70.192/27",
"66.249.70.224/27",
"66.249.70.32/27",
"66.249.70.64/27",
"66.249.70.96/27",
"66.249.71.0/27",
"66.249.71.128/27",
"66.249.71.160/27",
"66.249.71.192/27",
"66.249.71.224/27",
"66.249.71.32/27",
"66.249.71.64/27",
"66.249.71.96/27",
"66.249.72.0/27",
"66.249.72.128/27",
"66.249.72.160/27",
"66.249.72.192/27",
"66.249.72.224/27",
"66.249.72.32/27",
"66.249.72.64/27",
"66.249.72.96/27",
"66.249.73.0/27",
"66.249.73.128/27",
"66.249.73.160/27",
"66.249.73.192/27",
"66.249.73.224/27",
"66.249.73.32/27",
"66.249.73.64/27",
"66.249.73.96/27",
"66.249.74.0/27",
"66.249.74.128/27",
"66.249.74.160/27",
"66.249.74.192/27",
"66.249.74.32/27",
"66.249.74.64/27",
"66.249.74.96/27",
"66.249.75.0/27",
"66.249.75.128/27",
"66.249.75.160/27",
"66.249.75.192/27",
"66.249.75.224/27",
"66.249.75.32/27",
"66.249.75.64/27",
"66.249.75.96/27",
"66.249.76.0/27",
"66.249.76.128/27",
"66.249.76.160/27",
"66.249.76.192/27",
"66.249.76.224/27",
"66.249.76.32/27",
"66.249.76.64/27",
"66.249.76.96/27",
"66.249.77.0/27",
"66.249.77.128/27",
"66.249.77.160/27",
"66.249.77.192/27",
"66.249.77.224/27",
"66.249.77.32/27",
"66.249.77.64/27",
"66.249.77.96/27",
"66.249.78.0/27",
"66.249.78.32/27",
"66.249.79.0/27",
"66.249.79.128/27",
"66.249.79.160/27",
"66.249.79.192/27",
"66.249.79.224/27",
"66.249.79.32/27",
"66.249.79.64/27",
"66.249.79.96/27"
]
},
{
"name": "bingbot",
"user_agent_regex": "\\+http\\://www\\.bing\\.com/bingbot\\.htm",
"action": "ALLOW",
"remote_addresses": [
"157.55.39.0/24",
"207.46.13.0/24",
"40.77.167.0/24",
"13.66.139.0/24",
"13.66.144.0/24",
"52.167.144.0/24",
"13.67.10.16/28",
"13.69.66.240/28",
"13.71.172.224/28",
"139.217.52.0/28",
"191.233.204.224/28",
"20.36.108.32/28",
"20.43.120.16/28",
"40.79.131.208/28",
"40.79.186.176/28",
"52.231.148.0/28",
"20.79.107.240/28",
"51.105.67.0/28",
"20.125.163.80/28",
"40.77.188.0/22",
"65.55.210.0/24",
"199.30.24.0/23",
"40.77.202.0/24",
"40.77.139.0/25",
"20.74.197.0/28",
"20.15.133.160/27",
"40.77.177.0/24",
"40.77.178.0/23"
]
},
{
"name": "qwantbot",
"user_agent_regex": "\\+https\\://help\\.qwant\\.com/bot/",
"action": "ALLOW",
"remote_addresses": [
"91.242.162.0/24"
]
},
{
"name": "kagibot",
"user_agent_regex": "\\+https\\://kagi\\.com/bot",
"action": "ALLOW",
"remote_addresses": [
"216.18.205.234/32",
"35.212.27.76/32",
"104.254.65.50/32",
"209.151.156.194/32"
]
},
{
"name": "marginalia",
"user_agent_regex": "search\\.marginalia\\.nu",
"action": "ALLOW",
"remote_addresses": [
"193.183.0.162/31",
"193.183.0.164/30",
"193.183.0.168/30",
"193.183.0.172/31",
"193.183.0.174/32"
]
},
{
"name": "mojeekbot",
"user_agent_regex": "http\\://www\\.mojeek\\.com/bot\\.html",
"action": "ALLOW",
"remote_addresses": [
"5.102.173.71/32"
]
},
{
"name": "us-artificial-intelligence-scraper",
"user_agent_regex": "\\+https\\://github\\.com/US-Artificial-Intelligence/scraper",
"action": "DENY"
},
{
"name": "well-known",
"path_regex": "^/.well-known/.*$",
"action": "ALLOW"
},
{
"name": "favicon",
"path_regex": "^/favicon.ico$",
"action": "ALLOW"
},
{
"name": "robots-txt",
"path_regex": "^/robots.txt$",
"action": "ALLOW"
},
{
"name": "lightpanda",
"user_agent_regex": "^Lightpanda/.*$",
"action": "DENY"
},
{
"name": "headless-chrome",
"user_agent_regex": "HeadlessChrome",
"action": "DENY"
},
{
"name": "headless-chromium",
"user_agent_regex": "HeadlessChromium",
"action": "DENY"
},
{
"name": "generic-bot-catchall",
"user_agent_regex": "(?i:bot|crawler)",
"action": "CHALLENGE",
"challenge": {
"difficulty": 16,
"report_as": 4,
"algorithm": "slow"
}
},
{
"name": "generic-browser",
"user_agent_regex": "Mozilla",
"action": "CHALLENGE"
}
],
"dnsbl": false
}

90
invidious/invidious-all/config.yml.example
View file

@ -1,90 +0,0 @@
# Fill the required fields!
database_url: postgres://<db_user>:<db_password>@pgbouncer:5432/<db_name>
# Main domain from where
domain: "fill me"
# Sane defaults, leave them like this
channel_threads: 0
log_level: Info
colorize_logs: true
redis_url: tcp://valkey:6379
https_only: true
use_pubsub_feeds: false
popular_enabled: true
captcha_enabled: true
login_enabled: true
registration_enabled: true
statistics_enabled: true
external_port: 443
cache_annotations: true
hsts: true
enable_user_notifications: true
force_resolve: ipv4
pool_size: 100
use_innertube_for_captions: true
# DO NOT CHANGE THIS UNLESS YOU DID A FORK OF MY FORK
modified_source_code_url: https://git.nadeko.net/Fijxu/invidious
# It's recommended to disable downloads from Invidious to prevent abuse
disable_proxy:
- downloads
instance_maintainer_email: admin@example.com
footer_instance_donate_link: ""
footer_instance_section_custom_fields:
- ["Example1", "https://example.com"]
- ["Example2", "https://example.com"]
# inv.nadeko.net only options
pubsub_domain: https://inv.nadeko.net
# This option only works when Invidious is in use with
# inv_sig_helper.
max_dash_resolution: 1080
jobs:
refresh_channels:
enable: false
subscribe_to_feeds:
enable: false
default_user_preferences:
region: CL
dark_mode: dark
autoplay: true
quality: dash
save_player_pos: true
extend_desc: true
# Leave local like this due to a bug with VideoJS
#local: false
invidious_companion:
# private_url has to be the same as public_url if
# invidious companion is running on an external server
- private_url: "http://companion:8282"
public_url: "https://inv-companion.example.com"
i2p_public_url: "http://invcluifpcrybsji4imau42raygqc67ex3g65ff2md236gx37cgq.b32.i2p"
# Optional
note: "(CL)"
domain: ["inv1.nadeko.net", "inv1.nadekonw7plitnjuawu6ytjsl7jlglk2t6pyq6eftptmiv3dvqndwvyd.onion", "nadekoohummkxncchcsylr3eku36ze4waq4kdrhcqupckc3pe5qq.b32.i2p"]
# Cookie used so the user can switch between different
# companions on if there is more than one invidious_companion
server_id_cookie_name: "COMPANION_IDD"
# Leave this like this
# Backend 0 is postgresql
# Backend 1 is redis
# Backend 2 is built-in LRU (Not recommeneded, just for development purposes)
video_cache:
enabled: true
backend: 1
# This forces videoplayback proxy for all videos preveting
# the ip and tokens used on companion being leaked on the frontend
force_local: true
# Interval on which the invidious companions are being checked.
# Used to display a status dot next to the selected backend
check_backends_interval: 30

151
invidious/invidious-all/docker-compose.yml
View file

@ -1,151 +0,0 @@
# Docker compose file for inv.nadeko.net
# https://docs.docker.com/compose/how-tos/multiple-compose-files/include/
# Not used anymore, that is why it's commented
# include:
# - ../valkey-invidious/docker-compose.yml
# #- ../invidious-companion/docker-compose.yml
# https://docs.docker.com/reference/compose-file/extension/
x-common-invidious-env: &common-invidious-env
INVIDIOUS_CONFIG_FILE: "/etc/invidious/config.yml"
x-common: &common-invidious
#hostname: invidious
env_file:
# Env file containing INVIDIOUS_* variables
- .env-invidious
image: "git.nadeko.net/fijxu/invidious:latest"
restart: always
###
# I recommend leaving this like this
mem_limit: 780MB
cpus: 0.50
deploy:
replicas: 4
###
volumes:
# Thist postgresql mount is not needed anymore since I use pgbouncer now
# which is at the end of this docker compose file
# - /var/run/postgresql/.s.PGSQL.5432:/var/run/postgresql/.s.PGSQL.5432:rw
- ./config.yml:/etc/invidious/config.yml:ro
# Watchtower checks in intervals of 60 seconds for fast container updates.
# It needs to have a scope or Watchtower will spam docker servers asking
# for a new image update therefore rate limiting me
labels: [ "com.centurylinklabs.watchtower.scope=trusted-fast" ]
x-common-haproxy: &common-haproxy
hostname: haproxy
image: haproxy:lts-alpine
restart: always
volumes:
- ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
x-common-anubis-env: &common-anubis-env
DIFFICULTY: "3"
SERVE_ROBOTS_TXT: "true"
BIND: "0.0.0.0:4000"
METRICS_BIND: "0.0.0.0:9090"
POLICY_FNAME: "/data/cfg/botPolicy.json"
x-common-anubis: &common-anubis
image: git.nadeko.net/fijxu/anubis:latest
restart: always
env_file:
- .env-anubis
volumes:
- "./botPolicy.json:/data/cfg/botPolicy.json:ro"
labels: [ "com.centurylinklabs.watchtower.scope=trusted-fast" ]
x-common-valkey: &common-valkey
image: valkey/valkey:7.2-alpine
hostname: valkey
restart: unless-stopped
volumes:
- ./valkey.conf:/usr/local/etc/valkey/valkey.conf
command: "valkey-server /usr/local/etc/valkey/valkey.conf"
services:
# INVIDIOUS SECTION #
invidious:
<<: *common-invidious
environment:
<<: *common-invidious-env
networks:
- invidious
depends_on:
- valkey
- pgbouncer
- haproxy
- anubis-inv
# YTPROXY to proxy images, just for Fijxu's debugging purposes!
# ytproxy:
# image: git.nadeko.net/fijxu/http3-ytproxy:latest
# ports:
# - "127.0.0.1:12403:8080/tcp"
# ANUBIS SECTION #
anubis-inv:
<<: *common-anubis
environment:
<<: *common-anubis-env
TARGET: "http://invidious:3000"
networks:
- invidious
ports:
- 127.0.0.1:9051:9090
# HAPROXY SECTION #
haproxy:
<<: *common-haproxy
ports:
# Port to expose invidious
- "127.0.0.1:11101:8001"
# Port to expose the prometheus metrics
- "127.0.0.1:11111:8404"
networks:
- invidious
valkey:
<<: *common-valkey
networks:
- invidious
# Pgbouncer to keep connections to the database open
pgbouncer:
image: edoburu/pgbouncer
restart: unless-stopped
env_file:
- .env-pgbouncer
environment:
- POOL_MODE=transaction
# Everything is being done locally
# https://www.pgbouncer.org/config.html
- AUTH_TYPE=trust
mem_limit: "128m"
volumes:
- /var/run/postgresql/.s.PGSQL.5432:/var/run/postgresql/.s.PGSQL.5432:rw
networks:
- invidious
networks:
invidious:
name: invidious
# ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⠤⠤⢤⣄⡤⠤⣤⣀⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
# ⠀⠀⠀⠀⠀⠀⠀⢀⣠⠤⠀⡴⠋⠀⠀⠀⠀⠀⠉⠒⢌⠉⠛⣽⡲⣄⡀⠀⠀⠀⠀⠀⠀
# ⠀⠀⠀⠀⠀⣠⠾⠉⠀⠀⠀⠀⣄⠀⠀⠀⠀⠀⢀⣀⠀⣥⡤⠜⠊⣈⢻⣆⠀⠀⠀⠀⠀
# ⠀⠀⠀⣠⠾⠁⠔⠨⠂⠀⢀⠘⡜⡦⣀⡴⡆⠛⠒⠙⡴⡀⠘⡆⠀⠀⠛⡙⢷⡀⠀⠀⠀
# ⠀⠀⡴⠃⠀⠀⠀⠀⢀⣠⡼⠟⡏⡏⠙⣇⢸⡄⠀⠀⢹⠏⠁⢹⡳⣤⠀⠘⡌⣷⠀⠀⠀
# ⠀⣸⠃⠀⡠⠖⢲⠀⠀⣸⠃⢰⡇⡇⠀⢸⣌⣇⢀⠀⣸⣷⣀⡼⢣⡇⠀⠀⢹⣹⠀⠀⠀
# ⠀⡏⠀⡜⠁⠀⠁⠀⡰⢃⣴⣷⢟⣿⡟⡲⠟⠻⠊⠙⠃⣼⣿⣻⣾⡇⠀⠀⢸⡿⠀⠀⠀
# ⠀⡇⠰⡇⠀⢀⡠⠞⡗⢩⡟⢸⡏⠀⢹⡇⠀⠀⠀⠀⠀⢸⣿⠉⢱⣿⠠⢤⣟⠁⠀⠀⠀
# ⠀⣧⠀⠉⠉⠉⠀⢸⠦⡸⡅⢸⣏⠒⣱⠇⠀⠀⠀⠀⠀⠀⢿⣅⡽⠙⢦⠀⢈⣳⡄⠀⠀
# ⠀⡟⠀⠀⠀⠀⠀⠘⠀⣘⡌⣀⡉⠉⠁⠀⠀⠀⠀⠈⠀⠀⠀⠀⠀⠁⠀⡸⠛⠜⡷⣠⠀
# ⢸⠃⠀⠀⠀⠀⣀⡫⣿⣮⡀⠀⠀⠀⠀⠀⢠⠤⠶⡦⡤⠀⠀⠀⠀⠀⢠⠇⡀⠸⣧⣤⡆
# ⡟⠀⠀⠀⠀⠀⠀⡄⢠⠉⢇⠀⡄⠀⠀⠀⠘⢦⣀⡸⠃⠀⠀⠀⢀⡠⠋⠈⠛⢷⡖⠋⠀
# ⡇⢀⠀⠀⠀⠀⠀⢇⠀⢕⣺⣿⣅⡀⠀⠀⠀⠀⠀⠀⢀⣠⠤⠒⠉⠀⢠⣄⡶⠋⠀⠀⠀
# ⠻⢾⣼⣦⣀⠀⡄⠈⠓⢦⣼⣿⣍⠉⠻⣄⠀⢈⠏⠉⣿⣦⡀⠀⢀⣠⠾⠀⠀⠀⠀⠀⠀
# ⠀⠀⠈⠀⠉⠙⠓⠛⣦⡼⠘⣿⣿⣷⣤⣀⣹⠞⢤⣼⣿⣿⠈⢶⡋⠁⠀⠀⠀⠀⠀⠀⠀

57
invidious/invidious-all/haproxy.cfg
View file

@ -1,57 +0,0 @@
# Notes:
# Why I deleted `balance roundrobin`:
#
# https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#4-balance:
# The load balancing algorithm of a backend is set to roundrobin when no other
# algorithm, mode nor option have been set. The algorithm may only be set once
# for each backend.
#
# ---
# Why I removed `option http-keep-alive`: This is on by default
global
# This because haproxy is dumb and likes to use the maxconnection (somaxconn) from the kernel and that is super mega huge making haproxy oom
maxconn 8192
resolvers docker
# To be able to use multiple replicas of invidious
# using domains
nameserver dns1 127.0.0.11:53
defaults
mode http
# https://www.haproxy.com/documentation/haproxy-configuration-tutorials/service-reliability/retries/
# Use another server if one takes too long to reply
retries 4
option redispatch
timeout client 10s
timeout connect 5s
# The default timeout of http request on invidious is 10 seconds.
# If this is less than 10 seconds, the reverse proxy may return
# "503 service unavailable", not letting invidious respond to
# the client.
timeout server 30s
timeout queue 20s
# https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#4.2-http-reuse
http-reuse safe
# Prometheus for graphs
frontend prometheus
bind *:8404
mode http
http-request use-service prometheus-exporter if { path /metrics }
no log
frontend invidious
bind *:8001
# Use anubis only for /watch path
use_backend anubis-inv if { path /watch } || { path_beg /.within.website }
default_backend invidious
backend anubis-inv
server srv1 anubis-inv:4000 check resolvers docker init-addr libc,none
backend invidious
server-template srv 4 invidious:3000 check resolvers docker init-addr libc,none

7
invidious/invidious-all/valkey.conf
View file

@ -1,7 +0,0 @@
maxmemory 2048mb
maxmemory-policy volatile-lfu
# Disable AOF
appendonly no
# Disable RDB
save ""

25
invidious/invidious-feed-receiver/docker-compose.yml
View file

@ -1,25 +0,0 @@
# Docker compose file for the feed reciever of inv.nadeko.net
x-labels: &labels
labels: [ "com.centurylinklabs.watchtower.scope=invidious" ]
services:
# INVIDIOUS CLEARNET
invidious-feed-reciever:
image: "git.nadeko.net/fijxu/invidious:${TAG}"
restart: unless-stopped
ports:
- "127.0.0.1:20090:3000"
volumes:
- /var/run/postgresql/.s.PGSQL.5432:/var/run/postgresql/.s.PGSQL.5432:rw
- ./config.yml:/etc/invidious/config.yml:ro
environment:
INVIDIOUS_CONFIG_FILE: "/etc/invidious/config.yml"
<<: *labels
valkey:
image: valkey/valkey:7.2-alpine
restart: unless-stopped
volumes:
- ./valkey.conf:/usr/local/etc/valkey/valkey.conf
command: "valkey-server /usr/local/etc/valkey/valkey.conf"

7
invidious/invidious-feed-receiver/valkey.conf
View file

@ -1,7 +0,0 @@
maxmemory 1280mb
maxmemory-policy volatile-lfu
# Disable AOF
appendonly no
# Disable RDB
save ""

6
invidious/reload-config.sh
View file

@ -1,6 +0,0 @@
#!/bin/bash
docker compose --file /home/services/invidious/invidious/docker-compose.yml kill -s HUP invidious invidious-tor
docker compose --file /home/services/invidious/invidious-vpn/docker-compose.yml kill -s HUP invidious invidious-2 invidious-3 invidious-4 invidious-tor ptgen
docker compose --file /home/services/invidious/invidious-vpn-2/docker-compose.yml kill -s HUP invidious invidious-2 invidious-3 invidious-4 invidious-tor ptgen
docker compose --file /home/services/invidious/invidious-external/docker-compose.yml kill -s HUP invidious invidious-tor

7
invidious/restart-all-backends.sh
View file

@ -1,7 +0,0 @@
#!/bin/bash
docker compose --file /home/services/invidious/invidious-feed-receiver/docker-compose.yml up -d --force-recreate invidious-feed-reciever --remove-orphans
docker compose --file /home/services/invidious/invidious/docker-compose.yml up -d --force-recreate invidious --remove-orphans
docker compose --file /home/services/invidious/invidious-2/docker-compose-novpn.yml up -d --force-recreate invidious --remove-orphans
docker compose --file /home/services/invidious/invidious-3/docker-compose-novpn.yml up -d --force-recreate invidious --remove-orphans
docker compose --file /home/services/invidious/invidious-4/docker-compose.yml up -d --force-recreate invidious --remove-orphans

7
invidious/restart-fucking-everything.sh
View file

@ -1,7 +0,0 @@
#!/bin/bash
docker compose --file /home/services/invidious/invidious-feed-receiver/docker-compose.yml up -d --force-recreate --remove-orphans
docker compose --file /home/services/invidious/invidious/docker-compose.yml up -d --force-recreate --remove-orphans
docker compose --file /home/services/invidious/invidious-2/docker-compose-novpn.yml up -d --force-recreate --remove-orphans
docker compose --file /home/services/invidious/invidious-3/docker-compose-novpn.yml up -d --force-recreate --remove-orphans
docker compose --file /home/services/invidious/invidious-4/docker-compose.yml up -d --force-recreate --remove-orphans

38
invidious/valkey-invidious/docker-compose.yml
View file

@ -1,38 +0,0 @@
# https://docs.docker.com/reference/compose-file/extension/
x-common: &common
image: valkey/valkey:7.2-alpine
hostname: valkey
restart: unless-stopped
volumes:
- ./valkey.conf:/usr/local/etc/valkey/valkey.conf
command: "valkey-server /usr/local/etc/valkey/valkey.conf"
services:
# Cache needs to be separated since the cache data is bound to the IP
# address of the backend. Is not possible to mix cache between backends.
valkey:
<<: *common
networks:
- invidious
# valkey2:
# <<: *common
# networks:
# - invidious2
#
# valkey3:
# <<: *common
# networks:
# - invidious3
#
# valkey4:
# <<: *common
# networks:
# - invidious4
#
# valkey5:
# <<: *common
# networks:
# - invidious5

7
invidious/valkey-invidious/valkey.conf
View file

@ -1,7 +0,0 @@
maxmemory 2048mb
maxmemory-policy volatile-lfu
# Disable AOF
appendonly no
# Disable RDB
save ""

75
nginx.conf Normal file
View file

@ -0,0 +1,75 @@
worker_processes auto;
events {
worker_connections 4096;
multi_accept on;
use epoll;
}
http {
upstream http3-ytproxy {
keepalive 256;
server unix:/tmp/http-ytproxy.sock;
}
upstream companion {
keepalive 256;
server 172.50.0.3:8081;
}
# Docker DNS resolver!
resolver 127.0.0.11;
access_log off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# Restrict to HTTP/1.1 since HTTP/2 is not useful for DASH video streaming.
# HTTP/1.1 also uses a fairly low ammount of CPU compared to HTTP/2.
# HTTP/2 is useful for requesting a lot of files at the same time, but
# for DASH video streaming you download the video in a synchronously way,
# making HTTP/2 useless for it.
http2 off;
ssl_certificate /certs/cert.pem;
ssl_certificate_key /certs/cert.pem.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_early_data on;
ssl_conf_command Options KTLS;
server {
server_name ${EXVPP_HOST};
listen 443 ssl reuseport;
location / {
proxy_pass http://http3-ytproxy;
sendfile_max_chunk 512k;
proxy_buffering off;
aio threads=default;
aio_write on;
directio 16m;
proxy_http_version 1.1;
proxy_set_header Connection keep-alive;
}
}
server {
server_name ${COMPANION_HOST};
listen 443 ssl;
location / {
proxy_pass http://companion;
proxy_http_version 1.1;
proxy_set_header Connection keep-alive;
}
}
}
# vim: ts=2 sw=2 et

37
peertube/docker-compose.yml
View file

@ -1,37 +0,0 @@
services:
peertube:
image: chocobozzz/peertube:production-bookworm
container_name: peertube
# build:
# context: .
# args:
# VERSION: production
env_file:
- .env
ports:
- "0.0.0.0:1935:1935" # Comment if you don't want to use the live feature
- "127.0.0.1:10016:9000" # Uncomment if you use another webserver/proxy or test PeerTube in local, otherwise not suitable for production
volumes:
# Remove the following line if you want to use another webserver/proxy or test PeerTube in local
- assets:/app/client/dist
- ./docker-volume/data:/data
- ./docker-volume/config:/config
- /var/run/postgresql/.s.PGSQL.5432:/var/run/postgresql/.s.PGSQL.5432:rw
# group_add:
# - 989
# devices:
# - /dev/dri:/dev/dri
depends_on:
- redis
restart: "always"
redis:
image: valkey/valkey:7.2-alpine
container_name: peertube-valkey
volumes:
- ./docker-volume/redis:/data
restart: "always"
volumes:
assets:
certbot-www:

27
privatebin/docker-compose.yml
View file

@ -1,27 +0,0 @@
services:
privatebin:
image: privatebin/nginx-fpm-alpine:latest
container_name: privatebin
user: "65534:82"
read_only: false # not in compose 3.0 documentation but appears supported based
# on issues for docker compose in Github
volumes:
- privatebin-data:/srv/data # data volume for pastes allows pastes
# to persist after container stop or restart
- './cfg:/srv/cfg:ro' # second volume for custom configuration file
ports:
# To update: Be sure to use a reverse proxy for HTTPS termination
# in front of it for production environments.
# ie, The Nginx setup supports only HTTP, so make sure that you run
# another webserver as reverse proxy in front of this for HTTPS
#offloading and reducing the attack surface on your TLS stack. The
# Nginx in this image is set up to deflate/gzip text content.
- 10002:8080
restart: always
networks:
default:
name: privatebin
volumes:
privatebin-data:

54
proxy-components.yml Normal file
View file

@ -0,0 +1,54 @@
services:
companion:
image: git.nadeko.net/fijxu/invidious-companion:${COMPANION_TAG}
user: 2000:2000
network_mode: "service:gluetun"
logging:
driver: "json-file"
options:
max-size: "100m"
max-file: "10"
volumes:
- ./cache:/var/tmp/youtubei.js:rw
depends_on:
webserver:
condition: service_started
gluetun:
condition: service_healthy
labels:
- "com.centurylinklabs.watchtower.enable=true"
ytproxy:
image: git.nadeko.net/fijxu/http3-ytproxy:latest
network_mode: "service:gluetun"
volumes:
- videoplayback_proxy:/tmp
depends_on:
gluetun:
condition: service_healthy
webserver:
condition: service_started
labels:
- "com.centurylinklabs.watchtower.enable=true"
gluetun:
image: qmcgaw/gluetun:${GLUETUN_TAG}
networks:
proxy-server:
ipv4_address: 172.50.0.4
sysctls:
- net.ipv6.conf.all.disable_ipv6=1
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
volumes:
- ./gluetun:/gluetun
watchtower:
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- WATCHTOWER_LABEL_ENABLE=true
- WATCHTOWER_POLL_INTERVAL=30

18
rimgo/docker-compose.yml
View file

@ -1,18 +0,0 @@
services:
rimgo:
image: quay.io/pussthecatorg/rimgo:latest
container_name: rimgo
ports:
- "10001:3000" # Replace with "3000:3000" if you don't use a reverse proxy
environment:
- "PORT=3000"
- "ADDRESS=0.0.0.0"
- "IMGUR_CLIENT_ID=546c25a59c58ad7"
env_file: .env
restart: unless-stopped
labels:
- "com.centurylinklabs.watchtower.no-pull=true"
networks:
default:
name: rimgo

57
synapse/docker-compose.yml
View file

@ -1,57 +0,0 @@
# This compose file is compatible with Compose itself, it might need some
# adjustments to run properly with stack.
services:
synapse:
container_name: synapse
image: docker.io/matrixdotorg/synapse:1.127.1
restart: unless-stopped
environment:
- SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
- SYNAPSE_SERVER_NAME=nadeko.net
- SYNAPSE_REPORT_STATS=no
volumes:
- ./synapse_data:/data:rw
- ./synapse_data/homeserver.yaml:/data/homeserver.yaml:ro
- /var/run/postgresql/:/run/postgresql:rw
ports:
- 127.0.0.1:10022:8008/tcp
- 127.0.0.1:9183:9183/tcp
mautrix-telegram:
image: dock.mau.dev/mautrix/telegram:latest
container_name: mautrix-telegram
restart: unless-stopped
volumes:
- ./mautrix-telegram_data:/data:z
- /var/run/postgresql/:/run/postgresql:rw
depends_on:
synapse:
condition: service_healthy
mautrix-whatsapp:
image: dock.mau.dev/mautrix/whatsapp:latest
container_name: mautrix-whatsapp
restart: unless-stopped
volumes:
- ./mautrix-whatsapp_data:/data:z
- /var/run/postgresql/:/run/postgresql:rw
depends_on:
synapse:
condition: service_healthy
element:
image: vectorim/element-web:latest
restart: unless-stopped
volumes:
- ./element-web/config.json:/app/config.json:ro
ports:
- 127.0.0.1:10024:80/tcp
synapse-admin:
image: ghcr.io/etkecc/synapse-admin:latest
ports:
- 127.0.0.1:10025:80
restart: unless-stopped

58
unused/docker-compose-host.yml Normal file
View file

@ -0,0 +1,58 @@
# The same docker-compose.yml file but without gluetun and just host networking
services:
haproxy:
# https://github.com/iuridiniz/haproxy-quic-docker
# Image to support QUIC
image: iuridiniz/haproxy:3.0
restart: always
# Run as root to allow binding to port 80 and 443
user: 0:0
network_mode: host
env_file:
- .env
volumes:
- ./haproxy-host.cfg:/etc/haproxy/haproxy.cfg
- ./denylist.txt:/etc/haproxy/denylist.txt
- ./key.key:/certs/cert.pem.key
- ./fullchain.pem:/certs/cert.pem
- videoplayback_proxy:/tmp
http3-ytproxy:
image: git.nadeko.net/fijxu/http3-ytproxy:latest
restart: unless-stopped
network_mode: host
env_file:
- .env
volumes:
- videoplayback_proxy:/tmp
labels:
- "com.centurylinklabs.watchtower.enable=true"
depends_on: ["haproxy"]
companion:
image: git.nadeko.net/fijxu/invidious-companion:latest
restart: unless-stopped
network_mode: host
user: 2000:2000
env_file:
- .env
environment:
- HOST=127.0.0.1
volumes:
- ./cache:/var/tmp/youtubei.js:rw
- ./proxies.txt:/app/proxies.txt
labels:
- "com.centurylinklabs.watchtower.enable=true"
depends_on: ["haproxy"]
watchtower:
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- WATCHTOWER_LABEL_ENABLE=true
- WATCHTOWER_POLL_INTERVAL=60
volumes:
videoplayback_proxy:

68
unused/haproxy-host.cfg Normal file
View file

@ -0,0 +1,68 @@
# Good info about TLS speeds: https://istlsfastyet.com/
global
# This because haproxy is dumb and likes to use the maxconnection from the kernel and that is super mega huge making haproxy oom
# maxconn 32768
# Tied to net.core.somaxconn kernel parameter
resolvers docker
# Without this, if a container crashes, haproxy will not be
# able to find where the recreated container is.
# Ref: https://stackoverflow.com/a/42135283
nameserver dns1 127.0.0.11:53
defaults
mode http
timeout client 30s
timeout connect 5s
timeout server 30s
http-reuse safe
option splice-auto
option tcp-smart-connect
# Prometheus for graphs
frontend prometheus
bind *:10000
mode http
http-request use-service prometheus-exporter if { path /metrics }
no log
frontend www
bind *:80
#bind *:443 ssl crt /certs/cert.pem alpn h2,http/1.1 allow-0rtt
bind *:443 ssl crt /certs/cert.pem alpn http/1.1
# https://docs.haproxy.org/3.0/configuration.html#4.2-tcp-request%20connection
# https://docs.haproxy.org/3.0/configuration.html#4.2-http-request
http-request deny if { src -f /etc/haproxy/denylist.txt }
filter bwlim-out video-streaming default-limit 5000k default-period 1s
# QUIC is not really needed for video streaming and it uses a lot of CPU.
# Ref: https://news.ycombinator.com/item?id=23585120
#bind quic4@:443 ssl crt /certs/cert.pem alpn h3 allow-0rtt
#http-after-response add-header alt-svc 'h3=":443"; ma=900'
# HAPROXY_EXVPP_HOST: The external video playback host
acl c hdr(host) -i "$COMPANION_HOST"
acl cc hdr(host) -i "$COMPANION_HOST":8443
acl h hdr(host) -i "$EXVPP_HOST"
acl hh hdr(host) -i "$EXVPP_HOST":8443
http-request set-bandwidth-limit video-streaming if h || hh
http-request redirect scheme https unless { ssl_fc }
acl health_check path /health
http-request return status 200 if health_check
acl videoplayback path_beg /videoplayback
use_backend http3-ytproxy if h || hh
use_backend companion if c || cc
backend http3-ytproxy
#server s1 gluetun:8080 resolvers docker init-addr libc,none
server s1 unix@/tmp/http-ytproxy.sock
backend companion
server s1 127.0.0.1:8081 check resolvers docker init-addr libc,none

15
watchtower/docker-compose.yml
View file

@ -1,15 +0,0 @@
services:
# Watchtower used for my own OCI images at https://git.nadeko.net/Fijxu/-/packages
watchtower-trusted-fast:
image: containrrr/watchtower
container_name: watchtower-trusted-fast
restart: unless-stopped
volumes: [ "/var/run/docker.sock:/var/run/docker.sock" ]
command: --interval 30 --scope trusted-fast
watchtower-trusted:
image: containrrr/watchtower
container_name: watchtower-trusted
restart: unless-stopped
volumes: [ "/var/run/docker.sock:/var/run/docker.sock" ]
command: --interval 900 --scope trusted