current configuration

.gitignore

@@ -0,0 +1,17 @@
+# ignore all
+*
+
+# except these files
+
+!.gitignore
+
+!*/docker-compose.yml
+!*/Dockerfile
+!*.example
+!*.template
+
+!caddy/conf/Caddyfile
+!immich/*.yml
+
+# even if they are in subdirectories
+!*/

authentik/docker-compose.yml

@@ -31,14 +31,17 @@ services:
       AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
       AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.12.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.12}
-    ports:
+    # ports:
-    - ${COMPOSE_PORT_HTTP:-9000}:9000
+    # - ${COMPOSE_PORT_HTTP:-9000}:9000
-    - ${COMPOSE_PORT_HTTPS:-9443}:9443
+    # - ${COMPOSE_PORT_HTTPS:-9443}:9443
     restart: unless-stopped
     volumes:
     - ./data:/data
     - ./custom-templates:/templates
+    networks:
+    - default
+    - caddynet
   worker:
     command: worker
     depends_on:
@@ -52,7 +55,7 @@ services:
       AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
       AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.12.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.12}
     restart: unless-stopped
     user: root
     volumes:
@@ -63,3 +66,6 @@ services:
 volumes:
   database:
     driver: local
+networks:
+  caddynet:
+    external: true

caddy/conf/Caddyfile

@@ -0,0 +1,24 @@
+me.kiwisflight.com:443 {
+	root * /srv
+	file_server
+}
+
+auth.kiwisflight.com:443 {
+	reverse_proxy authentik-server-1:9000
+}
+
+nc.kiwisflight.com:443 {
+	reverse_proxy nextcloud-aio-apache:11000
+}
+
+immich.kiwisflight.com:443 {
+	reverse_proxy immich-server:2283
+}
+
+gitea.kiwisflight.com:443 {
+	reverse_proxy gitea:3000
+}
+
+llm.kiwisflight.com:443 {
+	reverse_proxy open-webui-openwebui-1:8080
+}

caddy/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   caddy:
-    image: caddy:<version>
+    image: caddy:latest
     restart: unless-stopped
     ports:
       - "80:80"
@@ -11,8 +11,13 @@ services:
       - ./site:/srv
       - caddy_data:/data
       - caddy_config:/config
+    networks:
+      - caddynet
 
 volumes:
   caddy_data:
   caddy_config:
 
+networks:
+  caddynet:
+    external: true

gitea/Dockerfile

@@ -0,0 +1,6 @@
+FROM gitea/gitea:latest
+
+RUN apk --no-cache add asciidoctor freetype freetype-dev gcc g++ libpng libffi-dev pandoc python3-dev py3-pyzmq pipx
+
+RUN pipx install jupyter docutils --include-deps --global
+

gitea/docker-compose.yml

@@ -1,23 +1,26 @@
-
 networks:
   gitea:
     external: false
+  caddynet:
+    external: true
 
 services:
   server:
-    image: docker.gitea.com/gitea:1.25.4
+    build:
+      dockerfile: Dockerfile
+    image: gitea-with-pandoc-local
     container_name: gitea
     environment:
       - USER_UID=1000
       - USER_GID=1000
-    restart: always
+    restart: unless-stopped
     networks:
       - gitea
+      - caddynet
     volumes:
-      - ./gitea:/data
+      - ./data:/data
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
     ports:
-      - "3000:3000"
+      # - "3000:3000"
-      - "222:22"
+      - "2223:22"
-

immich/docker-compose.yml

@@ -13,17 +13,20 @@ services:
   immich-server:
     container_name: immich_server
     image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
-    # extends:
+    extends:
-    #   file: hwaccel.transcoding.yml
+      file: hwaccel.transcoding.yml
-    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
+      service: nvenc # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
     volumes:
       # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
       - ${UPLOAD_LOCATION}:/data
       - /etc/localtime:/etc/localtime:ro
     env_file:
       - .env
-    ports:
+    # ports:
-      - '2283:2283'
+      # - '2283:2283'
+    networks:
+      - default
+      - caddynet
     depends_on:
       - redis
       - database
@@ -35,10 +38,10 @@ services:
     container_name: immich_machine_learning
     # For hardware acceleration, add one of -[armnn, cuda, rocm, openvino, rknn] to the image tag.
     # Example tag: ${IMMICH_VERSION:-release}-cuda
-    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
+    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}-cuda
-    # extends: # uncomment this section for hardware acceleration - see https://docs.immich.app/features/ml-hardware-acceleration
+    extends: # uncomment this section for hardware acceleration - see https://docs.immich.app/features/ml-hardware-acceleration
-    #   file: hwaccel.ml.yml
+      file: hwaccel.ml.yml
-    #   service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
+      service: cuda # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
     volumes:
       - model-cache:/cache
     env_file:
@@ -49,7 +52,7 @@ services:
 
   redis:
     container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63
+    image: docker.io/valkey/valkey:9@sha256:fb8d272e529ea567b9bf1302245796f21a2672b8368ca3fcb938ac334e613c8f
     healthcheck:
       test: redis-cli ping || exit 1
     restart: always
@@ -69,8 +72,9 @@ services:
       - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
     shm_size: 128mb
     restart: always
-    healthcheck:
-      disable: false
 
 volumes:
   model-cache:
+networks:
+  caddynet:
+    external: true

immich/env.example

@@ -7,7 +7,7 @@ UPLOAD_LOCATION=/pool/immich
 DB_DATA_LOCATION=./postgres
 
 # To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
-TZ=Asia/Seoul
+TZ=
 
 # The Immich version to use. You can pin this to a specific version like "v2.1.0"
 IMMICH_VERSION=v2
@@ -17,11 +17,10 @@ IMMICH_VERSION=v2
 DB_PASSWORD=
 
 
-CPU_CORES=
+CPU_CORES=8
 
 
 # The values below this line do not need to be changed
 ###################################################################################
 DB_USERNAME=postgres
 DB_DATABASE_NAME=immich
-

immich/hwaccel.ml.yml

@@ -55,3 +55,4 @@ services:
     volumes:
       - /dev/bus/usb:/dev/bus/usb
       - /usr/lib/wsl:/usr/lib/wsl
+

immich/hwaccel.transcoding.yml

@@ -53,3 +53,4 @@ services:
       - /usr/lib/wsl:/usr/lib/wsl
     environment:
       - LIBVA_DRIVER_NAME=d3d12
+

nextcloud/docker-compose.yml

@@ -1,30 +1,32 @@
 name: nextcloud-aio # Add the container to the same compose project like all the sibling containers are added to automatically.
+
 services:
   nextcloud-aio-mastercontainer:
     image: ghcr.io/nextcloud-releases/all-in-one:latest # This is the container image used. You can switch to ghcr.io/nextcloud-releases/all-in-one:beta if you want to help testing new releases. See https://github.com/nextcloud/all-in-one#how-to-switch-the-channel
     init: true # This setting makes sure that signals from main process inside the container are correctly forwarded to children. See https://docs.docker.com/reference/compose-file/services/#init
-    restart: always # This makes sure that the container starts always together with the host OS. See https://docs.docker.com/reference/compose-file/services/#restart
+    restart: unless-stopped # This makes sure that the container starts always together with the host OS. See https://docs.docker.com/reference/compose-file/services/#restart
     container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
     volumes:
       - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
       - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
-    network_mode: bridge # This adds the container to the same network as docker run would do. Comment this line and uncomment the line below and the networks section at the end of the file if you want to define a custom MTU size for the docker network
+    # network_mode: bridge # This adds the container to the same network as docker run would do. Comment this line and uncomment the line below and the networks section at the end of the file if you want to define a custom MTU size for the docker network
-    # networks: ["nextcloud-aio"]
+    networks:
+      - caddynet
     ports:
-      - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
       - 8080:8080 # This is the AIO interface, served via https and self-signed certificate. See https://github.com/nextcloud/all-in-one#explanation-of-used-ports
-      - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      # - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      # - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
     # security_opt: ["label:disable"] # Is needed when using SELinux. See https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled
-    # environment: # Is needed when using any of the options below
+    environment: # Is needed when using any of the options below
       # AIO_DISABLE_BACKUP_SECTION: false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
-      # APACHE_PORT: 11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      APACHE_PORT: 11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-      # APACHE_IP_BINDING: 127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      APACHE_IP_BINDING: 127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-      # APACHE_ADDITIONAL_NETWORK: frontend_net # (Optional) Connect the apache container to an additional docker network. Needed when behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) running in a different docker network on same server. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      APACHE_ADDITIONAL_NETWORK: caddynet # (Optional) Connect the apache container to an additional docker network. Needed when behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) running in a different docker network on same server. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
       # BORG_RETENTION_POLICY: --keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
       # COLLABORA_SECCOMP_DISABLED: false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
       # DOCKER_API_VERSION: 1.44 # You can adjust the internally used docker api version with this variable. ⚠️⚠️⚠️ Warning: please note that only the default api version (unset this variable) is supported and tested by the maintainers of Nextcloud AIO. So use this on your own risk and things might break without warning. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-internally-used-docker-api-version
       # FULLTEXTSEARCH_JAVA_OPTIONS: "-Xms1024M -Xmx1024M" # Allows to adjust the fulltextsearch java options. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-fulltextsearch-java-options
-      # NEXTCLOUD_DATADIR: /mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
+      NEXTCLOUD_DATADIR: /pool/nextcloud/data # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
       # NEXTCLOUD_MOUNT: /mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
       # NEXTCLOUD_UPLOAD_LIMIT: 16G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
       # NEXTCLOUD_MAX_TIME: 3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
@@ -34,44 +36,17 @@ services:
       # NEXTCLOUD_ADDITIONAL_APKS: imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
       # NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
       # NEXTCLOUD_ENABLE_DRI_DEVICE: true # This allows to enable the /dev/dri device for containers that profit from it. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud
-      # NEXTCLOUD_ENABLE_NVIDIA_GPU: true # This allows to enable the NVIDIA runtime and GPU access for containers that profit from it. ⚠️⚠️⚠️ Warning: this only works if an NVIDIA gpu is installed on the server. See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud.
+      NEXTCLOUD_ENABLE_NVIDIA_GPU: true # This allows to enable the NVIDIA runtime and GPU access for containers that profit from it. ⚠️⚠️⚠️ Warning: this only works if an NVIDIA gpu is installed on the server. See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud.
       # NEXTCLOUD_KEEP_DISABLED_APPS: false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps
       # SKIP_DOMAIN_VALIDATION: false # This should only be set to true if things are correctly configured. See https://github.com/nextcloud/all-in-one#how-to-skip-the-domain-validation
       # TALK_PORT: 3478 # This allows to adjust the port that the talk container is using which is exposed on the host. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
       # WATCHTOWER_DOCKER_SOCKET_PATH: /var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
-
+    extra_hosts:
-#   # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/discussions/575
+      - "host.docker.internal:host-gateway"
-#   # Alternatively, use Tailscale if you don't have a domain yet. See https://github.com/nextcloud/all-in-one/discussions/6817
-#   # Hint: You need to uncomment APACHE_PORT: 11000 above, adjust cloud.example.com to your domain and uncomment the necessary docker volumes at the bottom of this file in order to make it work
-#   # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
-#   caddy:
-#     image: caddy:alpine
-#     restart: always
-#     container_name: caddy
-#     volumes:
-#       - caddy_certs:/certs
-#       - caddy_config:/config
-#       - caddy_data:/data
-#       - caddy_sites:/srv
-#     network_mode: "host"
-#     configs:
-#       - source: Caddyfile
-#         target: /etc/caddy/Caddyfile
-# configs:
-#   Caddyfile:
-#     content: |
-#       # Adjust cloud.example.com to your domain below
-#       https://cloud.example.com:443 {
-#         reverse_proxy localhost:11000
-#       }
 
 volumes: # If you want to store the data on a different drive, see https://github.com/nextcloud/all-in-one#how-to-store-the-filesinstallation-on-a-separate-drive
   nextcloud_aio_mastercontainer:
     name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work
-  # caddy_certs:
-  # caddy_config:
-  # caddy_data:
-  # caddy_sites:
 
 # # Adjust the MTU size of the docker network. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-mtu-size-of-the-docker-network
 # networks:
@@ -79,3 +54,7 @@ volumes: # If you want to store the data on a different drive, see https://githu
 #     name: nextcloud-aio
 #     driver_opts:
 #       com.docker.network.driver.mtu: 1440
+
+networks:
+  caddynet:
+    external: true

open-webui/docker-compose.yml

@@ -1,9 +1,26 @@
 services:
   openwebui:
-    image: ghcr.io/open-webui/open-webui:main
+    image: ghcr.io/open-webui/open-webui:cuda
-    ports:
+    # ports:
-      - "3000:8080"
+      # - "3000:8080"
     volumes:
       - open-webui:/app/backend/data
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    deploy:
+      resources:
+        reservations:
+          devices:
+            - driver: nvidia
+              count: all
+              capabilities: [gpu]
+    env_file: ".env"
+    networks:
+      - caddynet
+
 volumes:
   open-webui:
+
+networks:
+  caddynet:
+    external: true

open-webui/env.example

@@ -0,0 +1,47 @@
+WEBUI_SECRET_KEY=
+
+ENABLE_PERSISTENT_CONFIG=true
+
+CORS_ALLOW_ORIGIN=
+
+
+# OAuth settings
+
+ENABLE_OAUTH_SIGNUP=True # If set to True, must pair with ENABLE_LOGIN_FORM=False
+ENABLE_LOGIN_FORM=False
+ENABLE_OAUTH_PERSISTENT_CONFIG=False
+# OAUTH_SUB_CLAIM=
+OAUTH_MERGE_ACCOUNTS_BY_EMAIL=True
+# ENABLE_OAUTH_WITHOUT_EMAIL=False
+# OAUTH_UPDATE_PICTURE_ON_LOGIN=False
+# ENABLE_OAUTH_ID_TOKEN_COOKIE=True
+# ENABLE_OAUTH_TOKEN_EXCHANGE=False
+OAUTH_CLIENT_INFO_ENCRYPTION_KEY=
+
+ENABLE_PASSWORD_AUTH=False # this is labeled as a 'general' setting, but placed here because it implies ENABLE_OAUTH_SIGNUP=True (or login will be disabled completely).
+
+
+## OIDC specific settings
+
+OAUTH_CLIENT_ID=
+OAUTH_CLIENT_SECRET=
+OPENID_PROVIDER_URL=
+OPENID_REDIRECT_URI=
+OAUTH_SCOPES="openid email profile open-webui"
+# OAUTH_CODE_CHALLENGE_METHOD=""
+OAUTH_PROVIDER_NAME="Authentik"
+# OAUTH_USERNAME_CLAIM="name"
+# OAUTH_EMAIL_CLAIM="email"
+# OAUTH_PICTURE_CLAIM="picture"
+# OAUTH_GROUP_CLAIM="groups"
+# ENABLE_OAUTH_ROLE_MANAGEMENT=False
+# ENABLE_OAUTH_GROUP_MANAGEMENT=False
+# ENABLE_OAUTH_GROUP_CREATION=False
+# OAUTH_BLOCKED_GROUPS="[]"
+# OAUTH_ROLES_CLAIM="roles"
+# OAUTH_ALLOWED_ROLES="user,admin"
+# OAUTH_ADMIN_ROLES="admin"
+# OAUTH_ROLES_SEPARATOR=";"
+# OAUTH_ALLOWED_DOMAINS="*"
+# OAUTH_AUDIENCE=""
+