homeserver-iac/roles/containers/templates/docker-compose.yml.j2

# vim: ft=yaml


# docker doesn't play well with the firewall, so i have it listen on 127.0.0.1
# and have haproxy expose it publicly (won't disrespect firewall rules)

---

networks:
  gitea:
    driver: bridge
  navidrome:
    driver: bridge

services:
{% if "gitea" in group_names %}
  gitea:
    container_name: gitea
    image: gitea/gitea:latest
    environment:
      - USER=gitea
      - USER_UID={{ user_gitea.uid }}
      - USER_GID={{ user_gitea.group }}
      - GITEA__service__DISABLE_REGISTRATION=true
      - GITEA__server__DOMAIN={{ gitea_domain }}
      - GITEA__server__SSH_DOMAIN={{ gitea_domain }}
    ports:
      - "127.0.0.1:3000:3000"
      - "127.0.0.1:2498:22"
    restart: unless-stopped
    volumes:
      - {{ dataroot }}/gitea:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    networks:
      - gitea

{% endif %}
{% if "syncthing" in group_names %}
  syncthing:
    network_mode: host
    container_name: syncthing
    image: syncthing/syncthing
    environment:
      - PUID={{ user_syncthing.uid }}
      - PGID={{ user_syncthing.group }}
    restart: unless-stopped
    volumes:
      - {{ vault_path }}/:/vault
      - {{ archive_path }}/:/vault_a
      - {{ syncthing_conf_dir }}/:/var/syncthing/config
      - "{{ music_path }}:/music"
      - "{{ dataroot }}/paperless/consume:/paperless"

{% endif %}
{% if "navidrome" in group_names %}
  navidrome:
    container_name: navidrome
    image: ghcr.io/navidrome/navidrome:latest
    user: {{ user_navidrome.uid }}:{{ user_navidrome.group }}
    environment:
      ND_LISTENBRAINZ_ENABLED: true
      ND_ENABLESHARING: {{ navidrome_sharing | default("false", true) }}
    restart: unless-stopped
    volumes:
      - "{{ dataroot }}/navidrome:/data"
      - "{{ music_path }}/:/music:ro"
    networks:
      - navidrome
    ports:
      - "127.0.0.1:4533:4533"

{% endif %}
{% if "synapse" in group_names %}
  synapse:
    container_name: synapse
    image: matrixdotorg/synapse:latest
    user: {{ user_synapse.uid }}:{{ user_synapse.group }}
    environment:
      SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
    restart: unless-stopped
    volumes:
      - "{{ dataroot }}/synapse/media_store:/data/media_store"
      - "{{ dataroot }}/synapse/data:/data"
    networks:
      - navidrome
    ports:
      - "127.0.0.1:8008:8008/tcp"

{% endif %}

{% if "paperless" in group_names %}
  paperless-broker:
    container_name: paperless-broker
    image: docker.io/library/redis:7
    restart: unless-stopped
    volumes:
      - redisdata:/data

  paperless-web:
    container_name: paperless-web
    image: ghcr.io/paperless-ngx/paperless-ngx:latest
    restart: unless-stopped
    depends_on:
      - paperless-broker
    ports:
      - "127.0.0.1:8000:8000"
    healthcheck:
      test: ["CMD", "curl", "-fs", "-S", "--max-time", "2", "http://localhost:8000"]
      interval: 30s
      timeout: 10s
      retries: 5
    volumes:
      - "{{ dataroot }}/paperless/data:/usr/src/paperless/data"
      - "{{ dataroot }}/paperless/media:/usr/src/paperless/media"
      - paperless-export:/usr/src/paperless/export
      - "{{ dataroot }}/paperless/consume:/usr/src/paperless/consume"
    env_file: paperless.env
    environment:
      USERMAP_UID: "{{ user_paperless.uid }}"
      # it gets the vault group because otherwise syncthing can't read the consume dir
      USERMAP_GID: "{{ user_syncthing.group }}"
      PAPERLESS_REDIS: redis://paperless-broker:6379
      PAPERLESS_URL: "https://{{ paperless_domain }}"
      PAPERLESS_USE_X_FORWARD_HOST: true
      PAPERLESS_USE_X_FORWARD_PORT: true
      PAPERLESS_OCR_USER_ARGS: '{"continue_on_soft_render_error": true}'
      PAPERLESS_OCR_PAGES: 1
      PAPERLESS_TASK_WORKERS: 2
      PAPERLESS_THREADS_PER_WORKER: 2
      PAPERLESS_WEBSERVER_WORKERS: 1
      PAPERLESS_ENABLE_NLTK: false
{% endif %}

{% if "paperless" in group_names %}
volumes:
  redisdata:
  paperless-export:
{% endif %}