immich version bump, add workout tracker

fix calibre client listing

.env

@@ -0,0 +1,29 @@
+# Base directory for docker-compose
+DOCKER_DIR=/docker
+
+# Directory for env files
+ENV_DIR=/docker/env
+
+# The IP of this server in the tailscale network
+DNS_IP=100.111.0.126
+
+# Time zone
+TZ=America/Chicago
+
+# Jellyfin directories
+JF_MOVIES=/media/jf/movies
+JF_SHOWS=/media/jf/shows
+JF_MUSIC=/media/jf/music
+
+# Immich directories
+IMMICH_LIBRARY=/media/immich
+
+# Kiwix directories
+KIWIX_DIR=/media/kiwix
+
+# qBittorrent directories
+QB_EXT_DL=/media/dl
+
+# Audiobookshelf directories
+ABS_BOOKS=/media/abs/audiobooks
+ABS_PODS=/media/abs/podcasts

.gitignore

@@ -0,0 +1,4 @@
+*
+!docker-compose.yml
+!.env
+!readme.md

readme.md

@@ -12,78 +12,149 @@ I have a dedicated home server that I run a lot of services on. This repo has my
 
 ## Services
 
-These are all the services hosted here, what they are for, and any clients I use with them.
+These are all the services hosted, what they are for, and any clients I use with them, in alphabetical order.
 
-### User-Facing
+### Media
 
+- [AudioBookShelf](https://www.audiobookshelf.org/) - Audiobook, ebook, and podcast server
+  - The official mobile client works great
+- [Immich](https://immich.app/) - Photo and video management
+  - Their official mobile apps are quite good
 - [Jellyfin](https://jellyfin.org) - Media server for movies, TV shows, and music
   - [Feishin](https://github.com/jeffvli/feishin) - Desktop music client (soon to be replaced by [audioling](https://github.com/audioling/audioling))
   - [Finamp](https://github.com/jmshrv/finamp) - Mobile music client
   - For other devices (desktop, mobile, Roku/Android TV) I use either the web app or the official Jellyfin client
+
+### Utilities
+
+- [Actual Budget](https://actualbudget.org/) - Excellent budgeting app. It can be automatically synced with your bank ([SimpleFIN Bridge](https://beta-bridge.simplefin.org/) for US banks, $15/year), but I have found that to be unstable
+  - There used to be an official app but it has been discontinued - I added the website to my phone's home screen and it works quite well
+- [Baikal](https://sabre.io/baikal/) - Calendar/contacts
+- [Backrest](https://github.com/garethgeorge/backrest) - UI to manage backups (sent to a Raspberry Pi 5 running [restic](https://restic.net/))
+- [ConvertX](https://github.com/C4illin/ConvertX) - File conversion utility
+- [Gitea](https://about.gitea.com/) - Git server - in the process of replacing my GitHub account
+  - [iOS Client](https://apps.apple.com/us/app/grocy-mobile/id1567803209)
+- [Wallabag](https://wallabag.org/) - Bookmark tool for links, pictures, notes, etc.
+- [IT Tools](https://github.com/CorentinTh/it-tools) - Collection of random useful development/IT utilities
+- [Kiwix](https://kiwix.org/en/) - Offline wiki hosting - I have Wikipedia, the Arch Linux wiki, and several others downloaded
+- [LubeLogger](https://lubelogger.com/) - Car mileage and service tracker
+- [Maloja](https://github.com/krateng/maloja) - Self-hosted music listen tracker (last.fm replacement) - with [multi-scrobbler](https://github.com/FoxxMD/multi-scrobbler) for Jellyfin support
+- [Memos](https://github.com/usememos/memos) - Super simple note/list/todo/memo app
 - [Miniflux](https://miniflux.app/) - Minimalist RSS feed reader
   - [NetNewsWire](https://netnewswire.com/) - Wonderful all-purpose iOS RSS client
-- [vaultwarden](https://github.com/dani-garcia/vaultwarden) - Password manager
-  - [Bitwarden clients](https://bitwarden.com/download/)
-- [Gitea](https://about.gitea.com/) - Git server - in the process of replacing my GitHub account
-- [LinkStack](https://linkstack.org/) - Self-hosted LinkTree alternative
-- [Homepage](https://gethomepage.dev/) - My default new tab page; has info about all my services plus links
-- [Kiwix](https://kiwix.org/en/) - Offline wiki hosting - I have Wikipedia, the Arch Linux wiki, and several others downloaded
-- [Actual Budget](https://actualbudget.org/) - Excellent budgeting app - it can be automatically synced with your bank, but I have found it to be unstable
-  - There used to be an official app but it has been discontinued - I added the website to my phone's home screen and it works quite well
 - [Paperless-ngx](https://docs.paperless-ngx.com/) - Document management system for legal documents, IDs, bank statements, etc.
   - [Swift Paperless](https://github.com/paulgessinger/swift-paperless) - iOS client
-- [Immich](https://immich.app/) - Photo and video management
+- [PicoShare](https://github.com/picocss/pico) - Super simple file sharing tool
-  - Their official mobile apps are quite good
+- [Seafile](https://www.seafile.com/en/home/) - Cloud drive
-- [Grocy](https://github.com/grocy/grocy) - Household management (Am I out of milk? Do I have AAA batteries? What can I make for dinner?)
+- [Static Webserver](https://github.com/lipanski/docker-static-website) - Simple Docker container with BusyBox to serve my personal website ([azpsen.com](https://azpsen.com))
-  - [iOS Client](https://apps.apple.com/us/app/grocy-mobile/id1567803209)
+- [Stirling PDF](https://www.stirlingpdf.com/) - PDF tools for viewing, editing, converting, and everything else
 - [Tandoor](https://tandoor.dev/) - Recipe management, so I always know which zucchine muffin recipe is the good one
   - [Untare](https://github.com/phantomate/Untare) - Mobile client (discontinued but it still works for now)
-- [AudioBookShelf](https://www.audiobookshelf.org/) - Audiobook server
+- [Tinyhome](https://github.com/bderenzo/tinyhome) - Static new tab page set up with links to all my server stuff
-  - The official mobile client works great
+- [Vaultwarden](https://github.com/dani-garcia/vaultwarden) - Password manager
-- [Calibre Web](https://github.com/janeczku/calibre-web) - Ebook management
+  - [Bitwarden clients](https://bitwarden.com/download/)
-  - [Yomu](https://www.yomu-reader.com/) for iOS is nice and minimal and supports OPDS for use with Calibre Web
+- [Wizarr](https://github.com/Wizarrrr/wizarr?tab=readme-ov-file) - Jellyfin user invite manager
-- [Joplin](https://joplinapp.org/) - Notes (Obsidian alternative)
+- [Workout Tracker](https://github.com/jovandeginste/workout-tracker) - Used with [OpenTracks](https://github.com/OpenTracksApp/OpenTracks) to track my cycling
 
 ### Monitoring
 
+- [Beszel](https://www.beszel.dev/) - System stats with pretty graphs
 - [Dozzle](https://dozzle.dev/) - Docker logs all in one place
-- [Scrutiny](https://github.com/AnalogJ/scrutiny) - HDD SMART monitoring, so I know when to prepare for a drive failure
-- [Speedtest Tracker](https://speedtest-tracker.dev/) - Runs scheduled internet speedtests and creates pretty graphs to keep my ISP honest
 - [Glances](https://github.com/nicolargo/glances) - System monitor - I mostly have this for dashboard widgets but it can be useful by itself
+- [Scrutiny](https://github.com/AnalogJ/scrutiny) - HDD SMART monitoring, so I know when to prepare for a drive failure
+- [MySpeed](https://github.com/gnmyt/myspeed) - Runs scheduled internet speedtests and creates pretty graphs to keep my ISP honest
 
 ### Networking
 
-- [cloudflared](https://github.com/cloudflare/cloudflared) - CloudFlare tunnel client for easy and secure external service access
-- [gluetun](https://github.com/qdm12/gluetun) - Docker VPN client
 - [AdGuard Home](https://adguard.com/en/adguard-home/overview.html) - DNS filtering - I use this with [tailscale](https://tailscale.com/) to block ads on my phone
+- [Cloudflared](https://github.com/cloudflare/cloudflared) - CloudFlare tunnel client for easy and secure external service access
+- [Gluetun](https://github.com/qdm12/gluetun) - Docker VPN client and kill-switch. Very useful, allows for per-container VPN routing.
 
-Note that I run tailscale on bare metal so it is not listed here, but it is very useful for remote access to services I don't want visible on the open internet as well as SSH access.
+Note that I run tailscale as a system service, not in a container, so it is not listed here, but it is very useful for secure remote access - both for SSH and for services that don't need to be publicly visible.
+
+In `docker-compose.yml`, services that I access through tailscale need the `dns: 100.111.0.126` section in order to access the internet (`100.111.0.126` is the tailscale IP of the server).
 
 ### Downloading
 
+- [Bazarr](https://www.bazarr.media/) - Automated subtitle fetching (I also use the OpenSubtitles plugin within Jellyfin when needed, but this works hands-off most of the time)
+- [Prowlarr](https://prowlarr.com/) - Torrent indexer that interfaces with the other \*arrs
 - [qBittorrent](https://www.qbittorrent.org/) - The only torrent client I'll ever use
 - [Radarr](https://radarr.video/) - Automated movie fetching
 - [Sonarr](https://sonarr.tv/) - Automated TV show fetching
-- [Prowlarr](https://prowlarr.com/) - Torrent indexer that interfaces with the other *arrs
-- [Bazarr](https://www.bazarr.media/) - Automated subtitle fetching (I also use the OpenSubtitles plugin within Jellyfin when needed, but this works hands-off most of the time)
 
 I use [LunaSea](https://www.lunasea.app/) as a mobile client for Radarr and Sonarr.
 
 ## Environment
 
-This configuration uses `.env` files to separate secrets from public information and maintain brevity in the main `docker-compose.yml`
+This configuration uses `.env` files to separate secrets from public information and keep the main `docker-compose.yml` a little shorter. It is set up to look for these files in `/docker/env`, with each service having its own `<service>.env` file.
 
-Here are the variables that need to be set in the `.env` file for each service. Empty variables should be replaced with your values.
+Below are the variables that need to be set in the `.env` file for each service. Empty variables should be replaced with your values.
 
-### cloudflared
+> **A Note on Email**
+>
+> Several of these env files include SMTP settings, which are completely optional. Automated email sending is very useful for user signups, 2FA, account recovery, and notifications, but email is notoriously difficult to self-host. The solution I've found works very well and generally gets past spam filters.
+>
+> I use [SendGrid](https://sendgrid.com/en-us) with CloudFlare's [email routing](https://blog.cloudflare.com/introducing-email-routing/) for email. I have a catch-all rule in CloudFlare that forwards all emails to a dedicated Gmail address, and that address uses a `Send Mail As` address set up with SendGrid's SMTP for sending emails by hand.
+>
+> By default, emails sent this way will show a little `via sendgrid.net` notice. To remove this, [verify your domain](https://www.twilio.com/docs/sendgrid/ui/account-and-settings/how-to-set-up-domain-authentication) with SendGrid.
+>
+> Also, link tracking is enabled by default and should be disabled in SendGrid's tracking settings.
+>
+> **SMTP Settings:**
+>
+> - Host: `smtp.sendgrid.net`
+> - Port: `587`
+> - Security: `tls` (or equivalent, e.g. `starttls` for vaultwarden)
+> - Username: `apikey`
+> - Password: API Key generated in SendGrid
+> - From: `<mailer-name>@<your-domain>` - For each custom sender (`mailer-name`), there needs to be a verified sender in SendGrid.
 
-`TUNNEL_TOKEN`: available in the cloudflare zero-trust tunnel dashboard, under `install and run a connector`
+### Beszel
 
-### gluetun
+[Docs](https://www.beszel.dev/guide/environment-variables)
 
-The values below are specific to Mullvad VPN. Other providers need different values, refer to gluetun documentation.
+```env
+# beszel.env
 
+# Hub settings
+BESZEL_HUB_APP_URL=
+
+# Agent settings
+BESZEL_AGENT_LISTEN=/beszel_socket/beszel.sock
+BESZEL_AGENT_KEY=''
 ```
+
+### Cloudflared
+
+[Docs](https://github.com/cloudflare/cloudflared?tab=readme-ov-file)
+
+```env
+# cloudflared.env
+
+# Available in the cloudflare zero-trust tunnel dashboard, under `install and run a connector`
+TUNNEL_TOKEN=
+```
+
+### ConvertX
+
+[Docs](https://github.com/C4illin/ConvertX#environment-variables)
+
+```env
+# convertx.env
+
+JWT_SECRET=
+HTTP_ALLOWED=true
+```
+
+### Gluetun
+
+[Docs](https://github.com/qdm12/gluetun)
+
+The values below are specific to Mullvad VPN ([gluetun docs](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/mullvad.md)). Other providers need different values, refer to the corresponding gluetun documentation.
+
+```env
+# gluetun.env
+
 VPN_SERVICE_PROVIDER=mullvad
 VPN_TYPE=wireguard
 WIREGUARD_PRIVATE_KEY=
@@ -91,17 +162,18 @@ WIREGUARD_ADDRESSESS=
 SERVER_CITIES=
 ```
 
-The actual values should be available in the WireGuard configuration from Mullvad.
+The values for `WIREGUARD_PRIVATE_KEY` and `WIREGUARD_ADDRESSES` should be available in the WireGuard configuration file generated by Mullvad. `SERVER_CITIES` should be set to the city of your configuration's selected exit node.
 
 ### Immich
 
-My current Immich docker setup includes a lot of repetition - when I want to update, I have to change the version in 3 places.
+[Docs](https://immich.app/docs/install/docker-compose/)
 
-I have plans to improve this, but for now this is what works.
+My current Immich docker setup has a lot of repetition - when I want to update, I have to change the version in 3 places. I have plans to improve this, but for now this is what works. Also note that the way I set the upload location is not recommended by the Immich docs.
+
+```env
+# immich.env
 
-```
 UPLOAD_LOCATION=/media/immich
-IMMICH_VERSION="v1.123.0"
 
 TYPESENSE_API_KEY=
 DB_PASSWORD=
@@ -118,39 +190,73 @@ POSTGRES_USER=postgres
 POSTGRES_DB=immich
 ```
 
-### Joplin
+### Invidious
 
-```
+[Docs](https://docs.invidious.io/installation/)
-APP_PORT=22300
+
-APP_BASE_URL=
+Note that the `password` under `db` in `INVIDIOUS_CONFIG` should be the same as the `POSTGRES_PASSWORD`. The `hmac_key` should be a different, randomly generated value
-DB_CLIENT=pg
+
+```env
+# invidious.env
+
+# Invidious
+INVIDIOUS_CONFIG='
+    db:
+        dbname: invidious
+        user: invidious
+        password:
+        host: invidious-db
+        port: 5432
+    check_tables: true
+    signature_server: invidious-sighelper:12999
+    visitor_data:
+    po_token:
+    external_port: 9080
+    https_only: false
+    statistics_enabled: false
+    registration_enabled: false
+    popular_enabled: false
+    hmac_key:
+    admins: ["april"]
+    default_user_preferences:
+        quality: dash
+        feed_menu: ["Trending", "Subscriptions", "Playlists"]
+        default_home: Trending
+'
+
+# Database
+POSTGRES_DB=invidious
+POSTGRES_USER=invidious
 POSTGRES_PASSWORD=
-POSTGRES_DATABASE=joplin
-POSTGRES_USER=
-POSTGRES_PORT=5432
-POSTGRES_HOST=joplin-db
 
-# Optional SMTP email options
+# to update the visitor_data and po_token:
-MAILER_ENABLED=1
+# docker run quay.io/invidious/youtube-trusted-session-generator
-MAILER_HOST=
+# or, for use with gluetun:
-MAILER_PORT=465
+# docker run --network=container:gluetun quay.io/invidious/youtube-trusted-session-generator
-MAILER_SECURE=1
-MAILER_AUTH_USER=
-MAILER_AUTH_PASSWORD=
-MAILER_NOREPLY_NAME=
-MAILER_NOREPLY_EMAIL=
 ```
 
-### LinkStack
+### LubeLogger
 
-```
+[Docs](https://docs.lubelogger.com/Advanced/Environment%20Variables)
-HTTPS_SERVER_NAME=
+
-SERVER_ADMIN=
+```env
+# lubelogger.env
+LC_ALL=en_US
+LANG=en_US
+MailConfig__EmailServer=
+MailConfig__EmailFrom=
+MailConfig__Port=587
+MailConfig__Username=
+MailConfig__Password=
 ```
 
 ### Miniflux
 
-```
+[Docs](https://miniflux.app/docs/docker.html)
+
+```env
+# miniflux.env
+
 DATABASE_URL=postgres://miniflux:{...}@rss_db:5432/miniflux?sslmode=disable # replace {...} with your postgres password
 RUN_MIGRATIONS=1
 
@@ -159,9 +265,31 @@ POSTGRES_PASSWORD= # this is the password used above
 POSTGRES_DB=miniflux
 ```
 
+### MultiScrobbler
+
+[Docs](https://foxxmd.github.io/multi-scrobbler/docs/configuration/)
+
+```env
+# scrobbler.env
+
+TZ=America/Chicago
+PUID=1000
+PGID=1000
+MALOJA_URL=http://maloja:42010
+MALOJA_API_KEY=
+JELLYFIN_URL=http://jellyfin:8096
+JELLYFIN_USER=
+JELLYFIN_APIKEY=
+JELLYFIN_USERS_ALLOW=
+```
+
 ### Paperless-ngx
 
-```
+[Docs](https://docs.paperless-ngx.com/setup/#docker)
+
+```env
+# paperless.env
+
 USERMAP_UID=1000
 USERMAP_GID=1000
 PUID=1000
@@ -169,7 +297,7 @@ PGID=1000
 
 PAPERLESS_URL=
 
-# random secret key, use for example `base64 /dev/urandom | head -c50` to generate one
+# Random secret key, use for example `base64 /dev/urandom | head -c50` to generate one
 PAPERLESS_SECRET_KEY=
 
 PAPERLESS_TIME_ZONE=
@@ -188,29 +316,51 @@ PAPERLESS_EMAIL_HOST_PASSWORD=
 PAPERLESS_EMAIL_FROM=
 ```
 
-### Speedtest Tracker
+### PicoShare
 
+[Docs](https://github.com/mtlynch/picoshare)
+
+```env
+# picoshare.env
+
+PORT=4001
+PS_SHARED_SECRET=
+PS_BEHIND_PROXY=true
 ```
-PUID=1000
+
-PGID=1000
+### Seafile
-APP_KEY=
+
-APP_URL=
+[Docs](https://manual.seafile.com/11.0/docker/deploy_seafile_with_docker/)
-DB_CONNECTION=sqlite
+
-APP_TIMEZONE=
+```env
-DISPLAY_TIMEZONE=
+# seafile.env
-SPEEDTEST_SCHEDULE=0,15,30,45 * * * * # run speedtest every 15 minutes
+
+DB_HOST=seafile_db
+DB_ROOT_PASSWD=
+SEAFILE_ADMIN_EMAIL=
+SEAFILE_ADMIN_PASSWORD=
+SEAFILE_SERVER_HOSTNAME=
+FORCE_HTTPS_IN_CONF=true
+
+MYSQL_ROOT_PASSWORD= # same as DB_ROOT_PASSWD above
+MYSQL_LOG_CONSOLE=true
+MARIADB_AUTO_UPGRADE=1
 ```
 
 ### Tandoor
 
-```
+[Docs](https://docs.tandoor.dev/install/docker/)
-# random secret key, use for example `base64 /dev/urandom | head -c50` to generate one
+
+```env
+# tandoor.env
+
+# Random secret key, use for example `base64 /dev/urandom | head -c50` to generate one
 SECRET_KEY=
 
-# allowed hosts (see documentation), should be set to your hostname(s) but might be * (default) for some proxies/providers
+# Allowed hosts (see documentation), should be set to your hostname(s) but might be * (default) for some proxies/providers
 ALLOWED_HOSTS=
 
-# add only a database password if you want to run with the default postgres, otherwise change settings accordingly
+# Add only a database password if you want to run with the default postgres, otherwise change settings accordingly
 DB_ENGINE=django.db.backends.postgresql
 POSTGRES_HOST=tandoor-db
 POSTGRES_DB=tandoor
@@ -219,15 +369,25 @@ POSTGRES_USER=tandoor
 POSTGRES_PASSWORD=
 ```
 
-### vaultwarden
+### Vaultwarden
 
-```
+[Docs](https://github.com/dani-garcia/vaultwarden)
+
+Note that the cryptography API used by vaultwarden requires HTTPS, so local access can be a bit of a challenge.
+
+These values are only required if you need to use the vaultwarden admin page (for user management, SMTP, hardware 2FA, etc.). The `ADMIN_TOKEN` value gave me trouble - to make it work, I used the 'Using `argon2`' instructions from [Enabling admin page](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page) in the docs. At `your-ip-or-url.com/admin`, the password you used for the hash will unlock it (e.g. `MySecretPassword` per their example).
+
+Note: The `ADMIN_TOKEN` value should be enclosed in single quotes. If it is not, all instances of `$` in the value will need to be replaced with `$$` to prevent the value from being split by the parser.
+
+```env
+# vaultwarden.env
+
+# Public domain or IP
 DOMAIN=
 
-# dollar signs must be replaced with two dollar signs to properly escape variables in this token
 ADMIN_TOKEN=
 
-# optional SMTP email settings
+# Optional SMTP email settings
 SMTP_HOST=
 SMTP_FROM=
 SMTP_PORT=587
@@ -235,3 +395,35 @@ SMTP_SECURITY=starttls
 SMTP_USERNAME=
 SMTP_PASSWORD=
 ```
+
+### Wallabag
+
+[Docs](https://hub.docker.com/r/wallabag/wallabag/)
+
+The domain name should be set to your Wallabag instance's domain (e.g. links.mysite.com). Server name is just a pretty name for your instance. The DB password and secret can be set to randomly generated strings.
+
+FOSUSER_REGISTRATION must be set to `true` for at least the first run so a user can be created.
+
+Note: The username/password need to be included in the mailer DSN (e.g. smtp://apikey:mykey12345@smtp.sendgrid.net)
+
+```env
+# wallabag.env
+
+SYMFONY__ENV__DOMAIN_NAME=
+SYMFONY__ENV__SERVER_NAME=
+SYMFONY__ENV__DATABASE_PASSWORD=
+SYMFONY__ENV__SECRET=
+SYMFONY__ENV__FOSUSER_REGISTRATION=false
+SYMFONY__ENV__MAILER_DSN=
+SYMFONY__ENV__FROM_EMAIL=
+```
+
+### Workout Tracker
+
+[Docs](https://github.com/jovandeginste/workout-tracker#docker)
+
+```env
+# workout-tracker.env
+
+WT_JWT_ENCRYPTION_KEY=
+```