Infrastructure

Open source, decentralized and self-hosted infrastructure for many local services and authentication with Authelia.

Features

• caddy 2 HTTP/S reverse proxy
• Authelia (SSO / authentication middleware)
• Open-WebUI + Ollama (Local chatGPT)
• qbittorrent and transmission (Torrent client/server)
• Docker / docker-compose
• Homepage (Dashboard)
• SearXNG (Self-hosted search engine)
• Jellyfin (Eg Netflix, Disney+)
• Forgejo (Git server, fork of Gitea)
• Uptime Kuma (Monitoring)
• Argus (Application update monitoring)
• SyncThing (File synchronization)
• Dufs (File server)
• PsiTransfer, ProjectSend, Picoshare (File sharing)
• it-tools, omni-tools and cyberchef (Tools for IT)
• Privatebin
• Memos (Note-taking)
• Stirling PDF (PDF tools)
• Wordpress (Via FASTCGI/caddy)
• Dependency-Track (SBOM / vulnerability tracking)
• Game (Satisfactory, Minecraft, 7 Days to Die, Team Fortress 2 etc...)

Architecture

Screenshots

The homepage is a dashboard with many widgets and services.

Installation and configuration

Requirements

• Docker
• Docker Compose
• Git
• Web domain (I use OVH)
• Open port 80, 443, 22 and 2222 on your router
• For games server, you need to open these ports (7777, 8888, 25565, 26900, 26901, 26903)

List of ports used by the services in this infrastructure:

Port number	Service	Description
80	Caddy	HTTP traffic
443	Caddy	HTTPS traffic
22	Forgejo	Git/SSH access
2222	OpenSSH	Global SSH access
7777	Satisfactory	Game server port
8888	Satisfactory	Game server port
25565	Minecraft	Game server port
8100	Bluemap Minecraft	Web map port
26900	7 Days to Die	Game server port
26901	7 Days to Die	Game server port
26903	7 Days to Die	Game server port
27015	Team Fortress 2	Game server port

To avoid get rate limit from letsencrypt (10 certificates per 3 hours), you need to disable some certificates in the caddyfiles and enable them 3h later...

Clone

Clone this repository to your local machine using:

git clone --recurse-submodules --remote-submodules https://github.com/bensuperpc/infrastructure.git

Go to the folder

cd infrastructure

Start the infrastructure

Start the website with:

make up

Stop the website with:

make stop

Remove containers with:

make down

Services are enabled via preset configuration files in the presets/ directory.

The active presets are declared in the Makefile via the CONFIGS variable, for example, CONFIGS := chatgpt loads presets/chatgpt.conf which activates the main_infrastructure, caddy, openssh, and openwebui profiles.

Configure the domain

For all bensuperpc.org, you need to replace it with your domain, example: mydomain.com, so the same for bensuperpc.com ect...

find . \( -type d -name .git -prune \) -o -type f -print0 | xargs -0 sed -i 's/bensuperpc.org/mydomain.com/g'

Check if all bensuperpc.* are replaced by your domain in Caddyfile

And then, caddy will generate the certificate for you and renew it automatically :D

Domain name	Type	Description
bensuperpc.org	Main	Redirect to www.bensuperpc.org
www.bensuperpc.org	Main	Homepage
openwebui.bensuperpc.org	Sub	For local chatGPT with ollama and openweb-ui
authelia.bensuperpc.org	Sub	Authelia for authentication
uptimekuma.bensuperpc.org	Sub	Uptime Kuma for monitoring
qbittorrent.bensuperpc.org	Sub	Torrent client/server
dozzle.bensuperpc.org	Sub	Dozzle for docker logs
transmission.bensuperpc.org	Sub	Torrent client/server
forgejo.bensuperpc.org	Sub	Fork of Gitea for git
git.bensuperpc.org	Sub	Fork of Gitea for git
jellyfin.bensuperpc.org	Sub	Jellyfin for media server
syncthing.bensuperpc.org	Sub	SyncThing for file synchronization
psitransfer.bensuperpc.org	Sub	PsiTransfer for file sharing
it-tools.bensuperpc.org	Sub	Tools for IT
omni-tools.bensuperpc.org	Sub	Tools for IT
privatebin.bensuperpc.org	Sub	Privatebin
projectsend.bensuperpc.org	Sub	ProjectSend for file sharing
picoshare.bensuperpc.org	Sub	Picoshare for file sharing
dufs.bensuperpc.org	Sub	Dufs for file sharing
memos.bensuperpc.org	Sub	Memos note-taking app
stirlingpdf.bensuperpc.org	Sub	Stirling PDF tools
argus.bensuperpc.org	Sub	Argus for monitoring application updates
searxng.bensuperpc.org	Sub	SearXNG self-hosted search engine
dependency-track.bensuperpc.org	Sub	SBOM / vulnerability analysis
wordpress.bensuperpc.org	Sub	Wordpress website

Configure the infrastructure

You need to configure the infrastructure with your own configuration.

You can generate a password with 32 characters:

openssl rand -base64 32

Or online: passwordsgenerator.net

Caddy

For caddy_backup.env file, you need to change the password(s) for the restic backup.

RESTIC_PASSWORD=7L1Ncbquax0B2TCOmrjaQl9n5mnY88bQ

On caddy.env file, you need to update some variables, like the main domain, mail domain and scheme (http or https).

MAIN_DOMAIN=bensuperpc.org
MAIL_DOMAIN=bensuperpc@gmail.com
# Scheme
SCHEME=https
# ignore_loaded_certs off
AUTO_HTTPS_OPTIONS=ignore_loaded_certs

Authelia

For authelia.env file, you need to change the password(s) and secret key:

AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET=ht87MVnXkXhBpDkMUHqKDqdg8UGBJt+Fx5jNIqXnN2k=
AUTHELIA_SESSION_SECRET=nsvbXKGRXVZUCUkOapntlq/Zh+d75WacTK5Jgyh8zYk=
AUTHELIA_STORAGE_ENCRYPTION_KEY=aWeIT74xIhGVd9nUOr4YTToTl5rpBEbzc/fv4jemuos=
AUTHELIA_STORAGE_POSTGRES_HOST=authelia-postgres
AUTHELIA_STORAGE_POSTGRES_PORT=5432
AUTHELIA_STORAGE_POSTGRES_DATABASE=authelia_db
AUTHELIA_STORAGE_POSTGRES_USERNAME=authelia
AUTHELIA_STORAGE_POSTGRES_PASSWORD=sAdkxFW6k3GiMOrlBpl6OV76eb9cQz/uk95jmA2UpI8=

Same for authelia_postgres.env file, you need to change the password(s) and user for the database.

POSTGRES_USER=authelia
POSTGRES_PASSWORD=sAdkxFW6k3GiMOrlBpl6OV76eb9cQz/uk95jmA2UpI8=
POSTGRES_DB=authelia_db

You also need to update users_database.yml

docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'MyPassword'

Dozzle

To generate a new user for dozzle, you can use the following command users.yml:

docker run -it --rm amir20/dozzle generate bensuperpc --password mypassword --email bensuperpc@gmail.com --name "bensuperpc"

PsiTransfer

For psitransfer.env file, you need to change the secret key.

PSITRANSFER_ADMIN_PASS=n9jLVNT9QUotTJTT91JqH4GyBTg9pvEn

For projectsend_db.env file, you need to change the password(s) and user for the database.

MARIADB_ROOT_PASSWORD=8O34297GrBfT3Ld34Lfg9mpotmZwbJtt
MARIADB_USER=bensuperpc
MARIADB_PASSWORD=wdSUa1JEZhXie5AJ5NcX1w73xmpO12EY

Picoshare

For picoshare.env file, you need to change the secret key.

PS_SHARED_SECRET=CBuS4DJLqIe93xF1KGYRrnhxUFBqLD2n

Dufs

For dufs.env file, you need to change the secret key and if you want the user name.

DUFS_AUTH="admin:heqihlOfBmJDESGFlpbPi7P7Mi6F7RkV@/:rw|@/:ro"

Stirling PDF

For stirlingpdf.env file, it's completly optional, you can change the password(s) and user.

# Enable security, optional
DOCKER_ENABLE_SECURITY=true
SECURITY_ENABLE_LOGIN=true
# Can be disabled after initial login, optional,
# default it admin:stirling
SECURITY_INITIALLOGIN_USERNAME=admin
SECURITY_INITIALLOGIN_PASSWORD=Jw9U039f5xc2mFcacvGvPD9RjwIh4DzO

OpenSSH

You can need to add/change the public ssh key id_ed25519.pub (its my public key), also change the config/password in openssh.env:

SUDO_ACCESS=true
#PUBLIC_KEY_URL=https://github.com/bensuperpc.keys
PUBLIC_KEY_DIR=/authorized_ssh_keys
USER_PASSWORD=rdUwf36C11PLmpU9Lvq7tP5pfFBKAuCh

#PUBLIC_KEY=yourpublickey
#PUBLIC_KEY_FILE=/path/to/file
#PUBLIC_KEY_DIR=/path/to/directory/containing/_only_/pubkeys
#USER_PASSWORD_FILE=/path/to/file

Open-WebUI

For open-webui.env file, you must change the secret key for the webui and configure its PostgreSQL backend.

WEBUI_SECRET_KEY=7d83b15a417d090ba5c6b899270a05dd215c60848354c0c7574226d6ff02f39e

Also update openwebui-postgres.env with your own credentials.

To download the model, through open-webui GUI or you can use the following command:

docker exec -it ollama ollama run deepseek-r1:8b

Dependency-Track

For dependency-track.env file, you need to set the database credentials and the API server URL.

POSTGRES_USER=dtrack
POSTGRES_PASSWORD=<your_password>
POSTGRES_DB=dtrack_db
ALPINE_DATA_DIRECTORY=/data

The frontend is available at https://dependency-track.bensuperpc.org and the API server at /api/*. Default credentials are admin / admin, change them on first login.

Homepage

You can change the homepage config in these files:

• bookmarks.yaml
• services.yaml
• settings.yaml
• widgets.yaml

Forgejo

For Forgejo installation, you must change the password(s) and user in forgejo_db.env file and forgejo.env file.

Once the installation is complete, you need to set the installation lock:

FORGEJO__security__INSTALL_LOCK=true

Forgejo Runner (Out of date)

docker exec -it forgejo_runner /bin/bash

forgejo-runner generate-config > /data/config.yml

Now update the config.yml file to support docker-in-docker:

  envs:
    DOCKER_TLS_VERIFY: 1
    DOCKER_CERT_PATH: /certs/client
    DOCKER_HOST: tcp://docker:2376
  labels: ["ubuntu-latest:docker://node:20-bookworm", "ubuntu-22.04:docker://node:20-bookworm"]
  network: host
  options: -v /certs/client:/certs/client
  valid_volumes:
     - /certs/client

Register the runner with your Forgejo instance:

forgejo-runner register

You will need to provide the following information:

https://forgejo.bensuperpc.org/
<Your Registration Token, in https://forgejo.bensuperpc.org/admin/actions/runners>
ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-24.04
main

Docker volumes

This infrastructure uses docker volumes to store data, all configuration/data for each service are not shared between services for security and maintenance reasons, but public_data and private_data are shared between all services to store your data.

Volume name	Description
public_data	Public data reachable on internet via dufs.bensuperpc.org, can be disabled.
private_data	Private data

SSH access

The default port for SSH/rsync is 2222.

You can access to the server with:

ssh -p 2222 admin@bensuperpc.org

Qbittorrent

To activate the alternative webui theme (VueTorrent), you need to go in the qbittorrent settings, then in the webui section, check the Use alternative webui and add /vuetorrent to text field.

Local testing

If you want to test the infrastructure locally, you can add these lines in your /etc/hosts file:

127.0.0.1 openwebui.bensuperpc.org
127.0.0.1 authelia.bensuperpc.org
127.0.0.1 memos.bensuperpc.org
127.0.0.1 stirlingpdf.bensuperpc.org
127.0.0.1 public.bensuperpc.org
127.0.0.1 private.bensuperpc.org
127.0.0.1 jellyfin.bensuperpc.org
127.0.0.1 syncthing.bensuperpc.org
127.0.0.1 psitransfer.bensuperpc.org
127.0.0.1 projectsend.bensuperpc.org
127.0.0.1 picoshare.bensuperpc.org
127.0.0.1 dufs.bensuperpc.org
127.0.0.1 it-tools.bensuperpc.org
127.0.0.1 omni-tools.bensuperpc.org
127.0.0.1 privatebin.bensuperpc.org
127.0.0.1 forgejo.bensuperpc.org
127.0.0.1 git.bensuperpc.org
127.0.0.1 qbittorrent.bensuperpc.org
127.0.0.1 transmission.bensuperpc.org
127.0.0.1 uptimekuma.bensuperpc.org
127.0.0.1 wordpress.bensuperpc.org
127.0.0.1 searxng.bensuperpc.org
127.0.0.1 dependency-track.bensuperpc.org
127.0.0.1 homepage.bensuperpc.org

Then update the caddy.env file with your local domain to disable the letsencrypt certificate generation and auto redirect to https:

MAIN_DOMAIN=bensuperpc.org
# Scheme
SCHEME=https
# ignore_loaded_certs off
AUTO_HTTPS_OPTIONS=ignore_loaded_certs

And remove all the import authelia_middleware in the caddyfiles, authelia need https to work.

Wordpress

For the wordpress.env file, you need to change the password and user for the database.

WORDPRESS_DB_USER=bensuperpc
WORDPRESS_DB_PASSWORD=lEOEf8cndnDjp84O4Uv5D9zJLJDFatLw

For wordpress_db.env file, you need to change the password(s) and user for the database.

MARIADB_ROOT_PASSWORD=7L1Ncbquax0B2TCOmrjaQl9n5mnY88bQ
MARIADB_USER=bensuperpc
MARIADB_PASSWORD=lEOEf8cndnDjp84O4Uv5D9zJLJDFatLw

For wordpress_backup.env file, you need to change the password(s) for the restic backup.

RESTIC_PASSWORD=7L1Ncbquax0B2TCOmrjaQl9n5mnY88bQ

Sources

• Wordpress
• Gnu Make
• Github API
• Github Actions
• Docker
• Docker Compose
• Docker Hub
• How To Start WordPress with Caddy using Docker Compose
• Digital Ocean - How To Install WordPress with Docker Compose (nginx)
• Imagisphe
• Letsencrypt
• Caddy
• Adminer
• self-hosted-ai-stack
• Uptime Kuma
• qbittorrent
• Transmission
• Gitea
• Jellyfin
• SyncThing
• PsiTransfer
• It-tools
• Omni-tools
• Privatebin
• ghost
• Homepage Tuto
• ProjectSend
• Picoshare
• Dufs
• demos
• Stirling PDF
• open-webui
• Fix docker volume
• Forgejo-runner
• Forgejo-runner
• Forgejo
• Argus
• SearXNG
• Dependency-Track
• Authelia

License

License