added postgres & made structure changes

homelab/applications/authelia/compose.yaml

@@ -1,29 +0,0 @@
-secrets:
-  STORAGE_ENCRYPTION_KEY:
-    file: './secrets/authelia_db_encryption_key'
-
-services:
-  authelia:
-    image: authelia/authelia:latest
-    container_name: authelia
-    volumes:
-      # Config files are still mounted as volumes
-      - ./config/configuration.yml:/config/configuration.yml:ro
-      - ./config/users_database.yml:/config/users_database.yml:ro
-      
-      # Persistent SQLite database directory
-      - ./db:/config/db
-    ports:
-      - '9091:9091'
-    secrets: ['STORAGE_ENCRYPTION_KEY']
-    environment:
-      TZ: 'Etc/UTC'
-      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
-        
-    restart: always
-    healthcheck:
-      test: ["CMD", "authelia", "healthcheck"]
-      interval: 5s
-      timeout: 5s
-      retries: 5
-      start_period: 5s

homelab/applications/authelia/config/configuration.yml

@@ -1,59 +0,0 @@
-server:
-  address: 0.0.0.0:9091
-  endpoints:
-    authz:
-      forward-auth:
-        implementation: 'ForwardAuth'
-
-log:
-  level: info
-
-# --- Storage ---
-storage:
-  local:
-    path: /config/db/authelia.sqlite.db
-
-# --- Authentication ---
-authentication_backend:
-  file:
-    path: /config/users_database.yml
-    password:
-      algorithm: argon2id
-      iterations: 1
-      memory: 2097152
-      parallelism: 4
-      salt_length: 16
-      key_length: 32
-  password_reset:
-    disable: true
-  password_change:
-    disable: false
-
-# --- Session ---
-session:
-  cookies:
-    - domain: 'saljic.me'
-      authelia_url: 'https://auth.saljic.me'
-      default_redirection_url: 'https://home.saljic.me'
-
-# --- Notifier (No Mail) ---
-notifier:
-  filesystem:
-    filename: /config/db/notifications.log
-
-# --- Access Control ---
-access_control:
-  default_policy: deny
-  rules:
-    - domain: "*.saljic.me"
-      policy: one_factor
-
-# --- Password policies ---
-password_policy:
-  standard:
-    enabled: true
-    min_length: 8
-    require_uppercase: true
-    require_lowercase: true
-    require_number: true
-    require_special: true

homelab/applications/authelia/config/users_database.yml

@@ -1,9 +0,0 @@
-users:
-  amar:
-    disabled: false
-    displayname: 'Amar Šaljić'
-    password: '$argon2id$v=19$m=65536,t=3,p=4$5PaYrZOdJzg3SMIAqql/uA$EFH9v2DfJZw6ni8uup4BWMEFvMwIlM5HbH7MLX7F4g0' 
-    email: 'amar@saljic.me'
-    groups:
-      - 'admins'
-      - 'dev'

homelab/applications/caddy/Caddyfile

@@ -1,34 +1,48 @@
-# --- Authelia Portal ---
-# This is the login page itself. It does NOT have forward_auth.
-auth.saljic.me {
-  # Proxy to the Authelia Docker container on port 9091
-  reverse_proxy localhost:9091
+# --- Home Assistant ---
+(logging) {
+    log {
+        output file /var/log/caddy/access.log {
+            # Roll logs to save space
+            roll_size     100mb
+            roll_keep     10
+            roll_keep_for 720h # 30 days
+        }
+        format json
+        level  INFO  # This ensures all requests (INFO, WARN, ERROR) are logged
+    }
 }
 
-# --- Home Assistant (Protected App) ---
-ha.saljic.me {
-  # 1. Apply authentication using Caddy's 'forward_auth'
-  forward_auth localhost:9091 {
-      uri /api/authz/forward-auth
-      copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
-  }
+# --- top domain --- 
+saljic.me {
+  import logging
+  respond "Welcome! In the making..."
+}
 
-  # 2. If auth is successful, proxy to your Home Assistant instance
+ha.saljic.me {
+  import logging
   reverse_proxy 10.10.10.6:8123
 }
 
+# --- FreshRSS --- 
+feed.saljic.me {
+  import logging
+  reverse_proxy 10.10.10.6:8081
+}
+
 # --- Immich ---
 tagebuch.saljic.me {
+  import logging
   reverse_proxy 10.10.10.6:2283
 }
 
-# --- default --- 
-home.saljic.me {
-  header Content-Type text/html
-	respond <<HTML
-		<html>
-			<head><title>saljic.me</title></head>
-			<body>Hello there</body>
-		</html>
-		HTML 200
+# --- Gitea ---
+git.saljic.me {
+  import logging
+  reverse_proxy 10.10.10.6:8030
+}
+
+# --- ntfy ---
+ntfy.saljic.me {
+  import logging
+  reverse_proxy 10.10.10.6:8500
 }

homelab/applications/gitea/compose.yml

@@ -0,0 +1,14 @@
+  services:
+   server:
+     image: docker.gitea.com/gitea:latest
+     container_name: gitea
+     environment:
+       - USER_UID=1000
+       - USER_GID=1000
+       - DISABLE_REGISTRATION=true
+     restart: always
+     volumes:
+       - ./data:/data
+     ports:
+       - "8030:3000"
+       - "222:22"

homelab/applications/homeassistant/config/configuration.yaml

@@ -0,0 +1,19 @@
+# Loads default set of integrations. Do not remove.
+default_config:
+
+# Load frontend themes from the themes folder
+frontend:
+  themes: !include_dir_merge_named themes
+
+automation: !include automations.yaml
+script: !include scripts.yaml
+scene: !include scenes.yaml
+http:
+  use_x_forwarded_for: true
+  trusted_proxies:
+    - 192.168.100.5
+homeassistant:
+  external_url: "https://ha.saljic.me"
+  internal_url: "http://10.10.10.6:8123"
+
+sensor: !include sensor.yaml

homelab/applications/postgres/README.md

@@ -0,0 +1,28 @@
+# Postgres
+## Set up non-root user for container
+We are providing a non-root user to the container to limit the attack surface for privilege escalations. In order for this to work in our setup, please make sure to check if you have a user called `postgres` set up. 
+
+1. Check if user `postgres` exists and if the UID is 1002
+
+```
+cat /etc/passwd | grep postgres
+```
+
+In case the `postgres` user exists but the UID is not 1002, please adjust it via 
+```
+sudo usermod -u 1002 postgres
+```
+
+In case the `postgres` user doesn't exist at all, please create the user incl. the right UID by running
+```
+sudo useradd -u 1002 postgres
+```
+
+## About secrets
+In order to manage secrets centrally in 1Password and due to the need for secrets in Postgres, using `docker compose` directly in the terminal does not work. 
+
+## Bring up/tear down container
+Please use the `start.sh` to spin up the container
+### Prerequisites start.sh
+- User executing the script is part of the `docker` group
+- Env variable `OP_SERVICE_ACCOUNT_TOKEN` is set up \[check out top-level README.md for more information on how to set this up\]

homelab/applications/postgres/compose.yml

@@ -0,0 +1,18 @@
+secrets:
+    postgres_password:
+        environment: POSTGRES_PASSWORD
+    postgres_user:
+        environment: POSTGRES_USER
+services:
+    postgres:
+        image: postgres:18
+        container_name: postgres
+        user: "1002"
+        restart: always
+        shm_size: 1024mb
+        environment:
+            POSTGRES_USER_FILE: /run/secrets/postgres_user
+            POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
+        secrets: ['postgres_password', 'postgres_user']
+        ports: ['5432:5432']
+        volumes: ['./data:/var/lib/postgresql']

homelab/applications/postgres/start.sh

@@ -0,0 +1,13 @@
+#!/bin/zsh
+# Exit immediately if a command exits with a non-zero status.
+set -e
+
+echo "--- Starting Docker Secret Management ---"
+# Mount secrets
+export POSTGRES_USER="$(op read 'op://NAxS Homelab/Postgres Homelab/username')"
+export POSTGRES_PASSWORD="$(op read 'op://NAxS Homelab/Postgres Homelab/password')"
+
+# Bring up container
+docker compose up -d
+
+echo "--- Docker Secret Management Complete ---"