chris/scarif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: chris:650bb88bc07569f81fd4cd693c1715b7ead833e6
Branches Tags
chris:master
...
compare: chris:f776320efb641e1d5f921e3403ca0e76f66a74fe
Branches Tags
chris:master

3 Commits
650bb88bc0 ... f776320efb

Author SHA1 Message Date
Chris
f776320efb Still working on web search 2025-07-25 22:08:45 +01:00
Chris
d2540d2b05 Getting it all running 2025-07-25 21:17:58 +01:00
Chris
a1e0fb1ebb Switch to nginx-proxy 2025-07-20 22:21:37 +01:00
14 changed files with 804 additions and 170 deletions
Expand all files Collapse all files

33
.env.example
View File

@@ -7,6 +7,7 @@ USER_PASSWORD=
DOMAIN=scarif.local
LOCAL_IP=192.168.10.10
SSH_KEY= # Will be added to authorized keys
COMPOSE_PROFILES=prod
#
# Database settings
@@ -37,12 +38,42 @@ NEXTCLOUD_ADMIN_USER=${USERNAME}
NEXTCLOUD_ADMIN_PASSWORD=
#
# MineCraft Settings
# MineCraft settings
# Image: itzg:minecraft-server
#
MINECRAFT_PASSWORD=
MINECRAFT_WHITELIST=
#
# LibreChat settings (droid.scarif.space)
# Image: ghcr.io/danny-avila/librechat-server-dev-lite:latest
#
LIBRECHAT_CREDS_KEY=
LIBRECHAT_CREDS_IV=
LIBRECHAT_JWT_SECRET=
LIBRECHAT_JWT_REFRESH_SECRET=
OPENROUTER_KEY=
AIHUBMIX_KEY=
JINA_API_KEY=
#
# Meilisearch settings
# Image: getmeili/meilisearch:v1.12.3
#
MEILISEARCH_MASTER_KEY=
#
# Searxng settings (holocron.scarif.space)
# Image: searxng/searxng:latest
#
SEARXNG_SECRET_KEY=
#
# Rag API settings
# Image: ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest
#
HF_TOKEN=
#
# Tiny Tiny RSS settings (intel.scarif.space)
# Image: cthulhoo/ttrss-fpm-pgsql-static

14
README.md
View File

@@ -5,6 +5,8 @@ Taking this task one step at a time I started by creating a docker nextcloud ser
> First of all **SWITCH ROUTER DNS SERVER**
### Linux
> This might not be necessary anymore. I think I fixed it by linking to the github repository instead of the AUR.
1. Remove zfs-linux `yay -Rns zfs-linux-lts`
2. Upgrade all packages `yay`
3. Clone the zfs-linux repository `git clone https://aur.archlinux.org/zfs-linux-lts.git`
@@ -171,12 +173,12 @@ The approaches they used were:
I added a new one that put in an nginx reverse proxy container to the custom fpm as that would be needed if I wanted multiple containers serving on the same machine (Monica/Nextcloud/Gitea/etc).
The results I got were similar to the original article:
Solution|Rate|Longest|Shortest|Size (MB)
---|---|---|---|---
Official fpm|143.17|0.92|0.12|
Official apache|503.52|0.53|0.02|415
Custom fpm|2197.80|0.12|0.03|336
Custom fpm proxy|1992.03|0.16|0.02|392
|Solution|Rate|Longest|Shortest|Size (MB)|
|---|---|---|---|---|
|Official fpm|143.17|0.92|0.12| |
|Official apache|503.52|0.53|0.02|415|
|Custom fpm|2197.80|0.12|0.03|336|
|Custom fpm proxy|1992.03|0.16|0.02|392|
# Creating a Nextcloud virtual machine with Rancher
To create the virtual machine I needed to install virtualbox and docker-machine, then I ran the following command:

403
docker-compose.yml
View File

@@ -1,10 +1,3 @@
# Options for building certificates
x-certs: &certs
image: paulczar/omgwtfssl
restart: "no"
volumes:
- /opt/ssl:/certs
x-logging: &logging
logging:
driver: "local"
@@ -12,20 +5,33 @@ x-logging: &logging
max-size: "5m"
max-file: "2"
x-firecrawl-service: &firecrawl-service
image: ghcr.io/mendableai/firecrawl
x-firecrawl-env: &firecrawl-env
REDIS_URL: redis://redis:6379
REDIS_RATE_LIMIT_URL: redis://redis:6379
PLAYWRIGHT_MICROSERVICE_URL: http://playwright:3000/scrape
services:
change:
<<: *logging
container_name: change
image: node:alpine
build: ./change-game
environment:
- PORT=9000
networks:
- nginx
volumes:
- change:/change/public
# change:
# <<: *logging
# profiles: ["prod"]
# container_name: change
# image: node:alpine
# build: ./change-game
# environment:
# - PORT=9000
# - VIRTUAL_HOST=rec.${DOMAIN}
# - CERT_NAME=${DOMAIN}
# - VIRTUAL_PORT=9000
# networks:
# - nginx
# volumes:
# - change:/change/public
foundry:
profiles: ["prod"]
<<: *logging
image: felddy/foundryvtt:release
volumes:
@@ -45,13 +51,18 @@ services:
- CONTAINER_PATCHES=/data/patches
- FOUNDRY_UID=1000
- FOUNDRY_GID=1000
- VIRTUAL_HOST=rec.${DOMAIN}
- CERT_NAME=${DOMAIN}
- VIRTUAL_PORT=30000
- VIRTUAL_PATH=/foundry
networks:
- nginx
nextcloud:
profiles: ["prod"]
<<: *logging
build: ./nextcloud
image: nextcloud
image: nextcloud:31-fpm-alpine
restart: unless-stopped
user: 1000:1000
volumes:
@@ -59,6 +70,10 @@ services:
- /mnt/tower/stardust:/var/www/html/data
- /mnt/tower/foundry:/var/www/foundry
environment:
- VIRTUAL_HOST=tower.${DOMAIN}
- CERT_NAME=${DOMAIN}
- VIRTUAL_PORT=9000
- VIRTUAL_PROTO=fastcgi
- REDIS_HOST=redis
- MYSQL_HOST=db
- MYSQL_PASSWORD=${DB_PASSWORD}
@@ -88,12 +103,16 @@ services:
- "office.${DOMAIN}:${LOCAL_IP}"
collabora:
profiles: ["prod", "dev"]
<<: *logging
image: collabora/code
restart: unless-stopped
cap_add:
- MKNOD
environment:
- VIRTUAL_HOST=office.${DOMAIN}
- CERT_NAME=${DOMAIN}
- VIRTUAL_PORT=9980
- "DONT_GEN_SSL_CERT=True"
- domain=tower.${DOMAIN}
- cert_domain=office.${DOMAIN}
@@ -108,28 +127,14 @@ services:
- "tower.${DOMAIN}:${LOCAL_IP}"
- "office.${DOMAIN}:${LOCAL_IP}"
homebox:
<<: *logging
image: ghcr.io/hay-kot/homebox:latest
restart: unless-stopped
environment:
- HBOX_LOG_LEVEL=info
- HBOX_LOG_FORMAT=text
- HBOX_WEB_MAX_UPLOAD_SIZE=10
- HBOX_OPTIONS_ALLOW_REGISTRATION=false
- HBOX_MAILER_HOST=${MAIL_HOST}
- HBOX_MAILER_PORT=${MAIL_PORT}
- HBOX_MAILER_USERNAME=${MAIL_USER}
- HBOX_MAILER_PASSWORD=${MAIL_PASSWORD}
volumes:
- homebox:/data/
networks:
- nginx
gitea:
profiles: ["prod", "dev"]
<<: *logging
image: gitea/gitea:1
environment:
- VIRTUAL_HOST=labs.${DOMAIN}
- CERT_NAME=${DOMAIN}
- VIRTUAL_PORT=3000
- "APP_NAME=Labs: Where the good stuff happens"
- RUN_MODE=prod
- DOMAIN=labs.${DOMAIN}
@@ -157,7 +162,80 @@ services:
depends_on:
- db
librechat:
image: ghcr.io/danny-avila/librechat-dev-api:latest
ports:
- 3080:3080
networks:
- nginx
- redis
- db
depends_on:
- mongodb
- rag_api
restart: always
extra_hosts:
- "host.docker.internal:host-gateway"
<<: *logging
environment:
- VIRTUAL_HOST=droid.${DOMAIN}
- VIRTUAL_PORT=3080
- CERT_NAME=${DOMAIN}
- HOST=0.0.0.0
- NODE_ENV=production
- MONGO_URI=mongodb://${DB_USER}:${DB_PASSWORD}@mongodb:27017/LibreChat?authSource=admin
- MEILI_HOST=http://meilisearch:7700
- MEILI_MASTER_KEY=${MEILI_MASTER_KEY}
- RAG_PORT=8000
- RAG_API_URL=http://rag_api:8000
- SEARXNG_INSTANCE_URL=http://searxng:8080
- SEARXNG_API_KEY=${SEARXNG_SECRET_KEY}
- FIRECRAWL_URL=http://firecrawl:3002
- FIRECRWAL_API_KEY=
- ALLOW_EMAIL_LOGIN=true
- ALLOW_REGISTRATION=false
- ALLOW_SOCIAL_LOGIN=false
- ALLOW_SOCIAL_REGISTRATION=false
- ALLOW_PASSWORD_RESET=false
- ALLOW_ACCOUNT_DELETION=false
- ALLOW_UNVERIFIED_EMAIL_LOGIN=true
- CREDS_KEY=${LIBRECHAT_CREDS_KEY}
- CREDS_IV=${LIBRECHAT_CREDS_IV}
- JWT_SECRET=${LIBRECHAT_JWT_SECRET}
- JWT_REFRESH_SECRET=${LIBRECHAT_JWT_REFRESH_SECRET}
- AIHUBMIX_KEY=${AIHUBMIX_KEY}
- OPENROUTER_KEY=${OPENROUTER_KEY}
- IMAGE_GEN_OAI_API_KEY=${AIHUBMIX_KEY}
- IMAGE_GEN_OAI_MODEL=gpt-image-1
- JINA_API_KEY=${JINA_API_KEY}
volumes:
- type: bind
source: ./librechat/librechat.yaml
target: /app/librechat.yaml
- /mnt/tower/stardust/files/chris/.droid/images:/app/client/public/images
- /mnt/tower/stardust/files/chris/.droid/uploads:/app/uploads
- /mnt/tower/stardust/files/chris/.droid/logs:/app/logs
- /mnt/tower/stardust/files/chris/:/files
searxng:
image: docker.io/searxng/searxng:latest
restart: unless-stopped
networks:
- nginx
- redis
volumes:
- ./searxng:/etc/searxng:rw
- searxng:/var/cache/searxng:rw
environment:
- SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
- SEARXNG_SECRET=${SEARXNG_SECRET_KEY}
- VIRTUAL_HOST=holocron.${DOMAIN}
- VIRTUAL_PORT=8080
- CERT_NAME=${DOMAIN}
<<: *logging
minecraft:
profiles: ["prod"]
<<: *logging
image: itzg/minecraft-server
tty: true
@@ -176,6 +254,7 @@ services:
- minecraft:/data
mc-backup:
profiles: ["prod"]
<<: *logging
image: itzg/mc-backup
depends_on:
@@ -193,53 +272,15 @@ services:
- minecraft:/data:ro
- /mnt/tower/backups/minecraft:/backups
tt-rss:
<<: *logging
image: cthulhoo/ttrss-fpm-pgsql-static:latest
restart: unless-stopped
environment:
- TTRSS_SELF_URL_PATH=https://intel.${DOMAIN}
- TTRSS_DB_USER=${DB_USER}
- TTRSS_DB_NAME=scarif
- TTRSS_DB_PASS=${DB_PASSWORD}
- TTRSS_DB_HOST=psqldb
#- AUTO_CREATE_USER=${TTRSS_USER}
#- AUTO_CREATE_USER_PASS=${TTRSS_USER_PASS}
#- ADMIN_USER_ACCESS_LEVEL=-2
volumes:
- tt-rss:/var/www/html
- ./tt-rss/config.d:/opt/tt-rss/config.d:ro
depends_on:
- psqldb
networks:
- db
- nginx
tt-rss-updater:
<<: *logging
image: cthulhoo/ttrss-fpm-pgsql-static:latest
restart: unless-stopped
environment:
- TTRSS_SELF_URL_PATH=https://intel.${DOMAIN}
- TTRSS_DB_USER=${DB_USER}
- TTRSS_DB_NAME=scarif
- TTRSS_DB_PASS=${DB_PASSWORD}
- TTRSS_DB_HOST=psqldb
volumes:
- tt-rss:/var/www/html
- ./tt-rss/config.d:/opt/tt-rss/config.d:ro
depends_on:
- tt-rss
- psqldb
command: /opt/tt-rss/updater.sh
networks:
- db
navidrome:
profiles: ["prod"]
<<: *logging
image: deluan/navidrome:latest
restart: unless-stopped
environment:
- VIRTUAL_HOST=radio.${DOMAIN}
- CERT_NAME=${DOMAIN}
- VIRTUAL_PORT=4533
- ND_SCANSCHEDULE=1h
- ND_LOGLEVEL=info
- ND_SESSIONTIMEOUT=24h
@@ -251,15 +292,17 @@ services:
- nginx
pihole:
profiles: ["prod"]
<<: *logging
image: pihole/pihole:latest
ports:
- "53:53/tcp"
- "53:53/udp"
environment:
TZ: "Europe/London"
WEBPASSWORD: ${PIHOLE_PASSWORD}
VIRTUAL_HOST: net.${DOMAIN}
- VIRTUAL_HOST=net.${DOMAIN}
- CERT_NAME=${DOMAIN}
- TZ="Europe/London"
- WEBPASSWORD=${PIHOLE_PASSWORD}
volumes:
- "/docker/pihole/etc-pihole:/etc/pihole"
- "/docker/pihole/etc-dnsmasq.d:/etc/dnsmasq.d"
@@ -267,22 +310,8 @@ services:
networks:
- nginx
pdf2audiobook:
<<: *logging
build: ./pdf-to-audiobook
image: pdf2audiobook:latest
container_name: pdf2audiobook
working_dir: /app
volumes:
- ./pdf-to-audiobook:/app
- /mnt/tower/stardust/chris/files/Library:/books:ro
- /mnt/tower/stardust/chris/files/Audiobooks:/audio
environment:
- OPENAI_API_KEY=${OPENAI_API_KEY}
- OPENAI_API_BASE=${OPENAI_API_BASE:-https://aihubmix.com/v1}
- OPENAI_MODEL=${OPENAI_MODEL:-aihubmix-Llama-3-3-70B-Instruct}
jitsi:
profiles: ["prod"]
<<: *logging
image: jitsi/web:stable
restart: unless-stopped
@@ -291,6 +320,9 @@ services:
- ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z
- ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
environment:
- VIRTUAL_HOST=comms.${DOMAIN}
- VIRTUAL_PORT=80
- CERT_NAME=${DOMAIN}
- AMPLITUDE_ID
- ANALYTICS_SCRIPT_URLS
- ANALYTICS_WHITELISTED_EVENTS
@@ -435,6 +467,7 @@ services:
# XMPP server
prosody:
profiles: ["prod"]
<<: *logging
image: jitsi/prosody:stable
restart: unless-stopped
@@ -532,6 +565,7 @@ services:
# Focus component
jicofo:
profiles: ["prod"]
<<: *logging
image: jitsi/jicofo:stable
restart: unless-stopped
@@ -581,6 +615,7 @@ services:
# Video bridge
jvb:
profiles: ["prod"]
<<: *logging
image: jitsi/jvb:stable
restart: unless-stopped
@@ -625,8 +660,8 @@ services:
aliases:
- jvb.meet.jitsi
db:
profiles: ["prod", "dev"]
<<: *logging
image: mariadb
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --skip-innodb-read-only-compressed
@@ -641,42 +676,151 @@ services:
networks:
- db
playwright:
profiles: ["prod", "dev"]
<<: *logging
image: ghcr.io/mendableai/playwright-service:latest
environment:
PORT: 3000
BLOCK_MEDIA: true
networks:
- playwright
firecrawl:
profiles: ["prod", "dev"]
<<: [*logging, *firecrawl-service]
environment:
<<: *firecrawl-env
HOST: "0.0.0.0"
PORT: 3002
FLY_PROCESS_GROUP: app
ENV: local
VIRTUAL_HOST: scraper.${DOMAIN}
CERT_NAME: ${DOMAIN}
VIRTUAL_PORT: 3002
depends_on:
- redis
- playwright
ports:
- "3002:3002"
networks:
- redis
- playwright
command: [ "pnpm", "run", "start:production" ]
firecrawl-worker:
profiles: ["prod", "dev"]
<<: [*firecrawl-service, *logging]
environment:
<<: *firecrawl-env
FLY_PROCESS_GROUP: worker
networks:
- redis
- playwright
depends_on:
- redis
- playwright
- firecrawl
command: [ "pnpm", "run", "workers" ]
redis:
profiles: ["prod", "dev"]
<<: *logging
image: redis:alpine
restart: always
networks:
- redis
nginx:
<<: *logging
image: nginx:alpine
mongodb:
profiles: ["prod", "dev"]
# ports:
# - 27018:27017
image: mongo
restart: always
volumes:
- mongodb:/data/db
command: mongod
networks:
- db
environment:
- MONGO_INITDB_ROOT_USERNAME=${DB_USER}
- MONGO_INITDB_ROOT_PASSWORD=${DB_PASSWORD}
<<: *logging
meilisearch:
profiles: ["prod", "dev"]
image: getmeili/meilisearch:v1.12.3
restart: always
networks:
- db
# ports:
# - 7700:7700
environment:
- MEILI_HOST=http://meilisearch:7700
- MEILI_NO_ANALYTICS=true
- MEILI_MASTER_KEY=${MEILI_MASTER_KEY}
volumes:
- meilisearch:/meili_data
<<: *logging
vectordb:
profiles: ["prod", "dev"]
image: ankane/pgvector:latest
networks:
- db
environment:
POSTGRES_DB: mydatabase
POSTGRES_USER: myuser
POSTGRES_PASSWORD: mypassword
restart: always
volumes:
- pgdata2:/var/lib/postgresql/data
<<: *logging
rag_api:
profiles: ["prod", "dev"]
image: ghcr.io/danny-avila/librechat-rag-api-dev:latest
environment:
- DB_HOST=vectordb
- RAG_PORT=8000
- EMBEDDINGS_PROVIDER=huggingface
- HF_TOKEN=${HF_TOKEN}
restart: always
networks:
- db
depends_on:
- vectordb
<<: *logging
nginx:
<<: *logging
profiles: ["prod", "dev"]
image: nginxproxy/nginx-proxy
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- /opt/ssl:/etc/nginx/certs:ro
- ./nginx/nginx.conf.template:/etc/nginx/conf.d/nginx.conf.template
- ./nginx/generate_conf.sh:/docker-entrypoint.d/generate_conf.sh
- ./nginx/vhost.d/labs_location:/etc/nginx/vhost.d/labs.${DOMAIN}_location:ro
- ./nginx/vhost.d/office:/etc/nginx/vhost.d/office.${DOMAIN}:ro
- ./nginx/vhost.d/rec:/etc/nginx/vhost.d/rec.${DOMAIN}:ro
- ./nginx/vhost.d/tower_location_override:/etc/nginx/vhost.d/tower.${DOMAIN}_location_override:ro
- ./nginx/vhost.d/tower:/etc/nginx/vhost.d/tower.${DOMAIN}:ro
- ./nginx/conf.d/custom_proxy.conf:/etc/nginx/conf.d/custom_proxy.conf:ro
- nextcloud:/var/www/html/nextcloud:ro
- ./christmas:/var/www/html/christmas:ro
- tt-rss:/var/www/html/tt-rss:ro
- change:/var/www/html/change:ro
environment:
- DOMAIN=${DOMAIN}
depends_on:
- nextcloud
- gitea
- collabora
- pihole
- foundry
- tt-rss
- homebox
- navidrome
ports:
- 443:443
# - tt-rss:/var/www/html/tt-rss:ro
networks:
- nginx
certs:
<<: *certs
profiles: ["dev"]
image: paulczar/omgwtfssl
restart: "no"
volumes:
- /opt/ssl:/certs
environment:
- SSL_SUBJECT=${DOMAIN}
- CA_SUBJECT=chris@${DOMAIN}
@@ -684,34 +828,23 @@ services:
- SSL_CSR=/certs/${DOMAIN}.csr
- SSL_CERT=/certs/${DOMAIN}.crt
psqldb:
<<: *logging
image: postgres:12-alpine
restart: unless-stopped
environment:
- POSTGRES_USER=${DB_USER}
- POSTGRES_PASSWORD=${DB_PASSWORD}
- POSTGRES_DB=scarif
volumes:
- psqldb:/var/lib/postgresql/data
networks:
- db
volumes:
db:
psqldb:
tt-rss:
gitea:
nextcloud:
foundry:
homebox:
navidrome:
minecraft:
change:
mongodb:
searxng:
pgdata2:
meilisearch:
networks:
db:
nginx:
redis:
meet.jitsi:
playwright:

205
librechat/librechat.yaml Normal file
View File

@@ -0,0 +1,205 @@
# For more information, see the Configuration Guide:
# https://www.librechat.ai/docs/configuration/librechat_yaml
# Configuration version (required)
version: 1.2.1
# Cache settings: Set to true to enable caching
cache: true
# File strategy s3/firebase
# fileStrategy: "s3"
# Custom interface configuration
interface:
customWelcome: "Welcome to DroidChat! How may I be of assistance?"
# MCP Servers UI configuration
mcpServers:
placeholder: 'MCP Servers'
# Privacy policy settings
privacyPolicy:
externalUrl: 'https://librechat.ai/privacy-policy'
openNewTab: true
# Terms of service
termsOfService:
externalUrl: 'https://librechat.ai/tos'
openNewTab: true
modalAcceptance: true
modalTitle: "Terms of Service for LibreChat"
modalContent: |
# Terms and Conditions for LibreChat
Welcome to LibreChat!
endpointsMenu: true
modelSelect: true
parameters: true
sidePanel: true
presets: true
prompts: true
bookmarks: true
multiConvo: true
agents: true
# Temporary chat retention period in hours (default: 720, min: 1, max: 8760)
# temporaryChatRetention: 1
speech:
tts:
openai:
url: 'https://aihubmix.com/v1'
apiKey: '${AIHUBMIX_KEY}'
model: 'gpt-4o-mini-tts'
voices: [
'alloy',
'ash',
'ballad',
'coral',
'echo',
'fable',
'nova',
'onyx',
'sage',
'shimmer',
]
stt:
openai:
url: 'https://aihubmix.com/v1'
apiKey: '${AIHUBMIX_KEY}'
model: 'distil-whisper-large-v3-en'
# Example MCP Servers Object Structure
# mcpServers:
# everything:
# # type: sse # type can optionally be omitted
# url: http://localhost:3001/sse
# timeout: 60000 # 1 minute timeout for this server, this is the default timeout for MCP servers.
puppeteer:
type: stdio
command: npx
args:
- -y
- "@modelcontextprotocol/server-puppeteer"
timeout: 300000 # 5 minutes timeout for this server
filesystem:
# type: stdio
command: npx
args:
- -y
- "@modelcontextprotocol/server-filesystem"
- /files/Library
- /files/RPG/Resources
mcp-obsidian:
command: npx
args:
- -y
- "mcp-obsidian"
- /files/Notes
# Definition of custom endpoints
endpoints:
# assistants:
# disableBuilder: false # Disable Assistants Builder Interface by setting to `true`
# pollIntervalMs: 3000 # Polling interval for checking assistant updates
# timeoutMs: 180000 # Timeout for assistant operations
# # Should only be one or the other, either `supportedIds` or `excludedIds`
# supportedIds: ["asst_supportedAssistantId1", "asst_supportedAssistantId2"]
# # excludedIds: ["asst_excludedAssistantId"]
# # Only show assistants that the user created or that were created externally (e.g. in Assistants playground).
# # privateAssistants: false # Does not work with `supportedIds` or `excludedIds`
# # (optional) Models that support retrieval, will default to latest known OpenAI models that support the feature
# retrievalModels: ["gpt-4-turbo-preview"]
# # (optional) Assistant Capabilities available to all users. Omit the ones you wish to exclude. Defaults to list below.
# capabilities: ["code_interpreter", "retrieval", "actions", "tools", "image_vision"]
# agents:
# # (optional) Default recursion depth for agents, defaults to 25
# recursionLimit: 50
# # (optional) Max recursion depth for agents, defaults to 25
# maxRecursionLimit: 100
# # (optional) Disable the builder interface for agents
# disableBuilder: false
# # (optional) Agent Capabilities available to all users. Omit the ones you wish to exclude. Defaults to list below.
# capabilities: ["execute_code", "file_search", "actions", "tools"]
custom:
- name: 'OpenRouter'
apiKey: '${OPENROUTER_KEY}'
baseURL: 'https://openrouter.ai/api/v1'
models:
default:
- 'switchpoint/router'
- 'moonshotai/kimi-k2:free'
- 'deepseek/deepseek-chat-v3-0324:free'
- 'deepseek/deepseek-r1-0528:free'
- 'openai/gpt-4.1'
- 'openai/o3'
fetch: true
titleConvo: true
titleModel: 'moonshotai/kimi-k2:free'
dropParams: ['stop']
modelDisplayLabel: 'OpenRouter'
- name: 'AiHubMix'
apiKey: '${AIHUBMIX_KEY}'
baseURL: 'https://aihubmix.com/v1'
models:
default:
- 'moonshotai/kimi-k2:free'
- 'deepseek/deepseek-chat-v3-0324:free'
- 'deepseek/deepseek-r1-0528:free'
fetch: true
titleConvo: true
titleModel: 'gpt-4o-mini'
dropParams: ['stop']
modelDisplayLabel: 'OpenRouter'
fileConfig:
# endpoints:
# assistants:
# fileLimit: 5
# fileSizeLimit: 10 # Maximum size for an individual file in MB
# totalSizeLimit: 50 # Maximum total size for all files in a single request in MB
# supportedMimeTypes:
# - "image/.*"
# - "application/pdf"
# openAI:
# disabled: true # Disables file uploading to the OpenAI endpoint
# default:
# totalSizeLimit: 20
# YourCustomEndpointName:
# fileLimit: 2
# fileSizeLimit: 5
# serverFileSizeLimit: 100 # Global server file size limit in MB
# avatarSizeLimit: 2 # Limit for user avatar image size in MB
# imageGeneration: # Image Gen settings, either percentage or px
# percentage: 100
# px: 1024
# # Client-side image resizing to prevent upload errors
clientImageResize:
enabled: true
maxWidth: 1900
maxHeight: 1900
quality: 0.92
# Memory configuration for user memories
# memory:
# # (optional) Disable memory functionality
# disabled: false
# # (optional) Restrict memory keys to specific values to limit memory storage and improve consistency
# validKeys: ["preferences", "work_info", "personal_info", "skills", "interests", "context"]
# # (optional) Maximum token limit for memory storage (not yet implemented for token counting)
# tokenLimit: 10000
# # (optional) Enable personalization features (defaults to true if memory is configured)
# # When false, users will not see the Personalization tab in settings
# personalize: true
# # Memory agent configuration - either use an existing agent by ID or define inline
# agent:
# # Option 1: Use existing agent by ID
# # id: "your-memory-agent-id"
# # Option 2: Define agent inline
# provider: "openrouter"
# model: "openai/gpt-4o-mini"
# instructions: "You are a memory management assistant. Store and manage user information accurately."
# model_parameters:
# temperature: 0.1

2
nextcloud/Dockerfile
View File

@@ -34,7 +34,7 @@ RUN set -ex; \
RUN mkdir -p \
/var/log/supervisord \
/var/run/supervisord \
;
;
RUN addgroup -S -g 1000 nextcloud; \
adduser -S -u 1000 -G nextcloud nextcloud; \

20
nginx/conf.d/custom_proxy.conf Normal file
View File

@@ -0,0 +1,20 @@
# server {
# listen 443 ssl http2;
#
# ssl_certificate /etc/nginx/certs/${DOMAIN}.crt;
# ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
#
# server_name christmas.${DOMAIN};
#
# gzip_types text/plain text/css application/json application/x-javascript
# text/xml application/xml application/xml+rss text/javascript;
#
# root "/var/www/html/christmas";
#
# location / {
# try_files $uri.html $uri /default.html;
# }
# }
proxy_buffering off;

2
nginx/nginx.conf.template
View File

@@ -376,7 +376,6 @@ http {
client_max_body_size 300M;
location /foundry {
# Set proxy headers
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -385,7 +384,6 @@ http {
# These are important to support WebSockets;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://foundry-handler;
}

6
nginx/vhost.d/labs_location Normal file
View File

@@ -0,0 +1,6 @@
if ($http_origin ~* (https?://(?:www\.)?5e\.tools|https?://(?:www\.)?rec\.scarif\.space)) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}

42
nginx/vhost.d/office Normal file
View File

@@ -0,0 +1,42 @@
# static files
location ^~ /browser {
proxy_pass http://$server_name;
proxy_set_header Host $http_host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://$server_name;
proxy_set_header Host $http_host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://$server_name;
proxy_set_header Host $http_host;
}
# main websocket
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://$server_name;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://$server_name;
proxy_set_header Host $http_host;
}
# Admin Console websocket
location ^~ /cool/adminws {
proxy_pass http://$server_name;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}

23
nginx/vhost.d/rec Normal file
View File

@@ -0,0 +1,23 @@
Need to figure out how to get this working with nginx-proxy
# This file is for the /change/socket.io and /change/peer paths
location ~ ^/change/(socket\.io|peer) {
# Set proxy headers
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket specific headers
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
# WebSocket specific settings
proxy_buffering off;
proxy_redirect off;
proxy_connect_timeout 90s;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
proxy_pass http://$server_name;
}

67
nginx/vhost.d/tower Normal file
View File

@@ -0,0 +1,67 @@
root /var/www/html/nextcloud;
# Prevent nginx HTTP Server Detection
server_tokens off;
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# set max upload size and increase upload timeout:
client_max_body_size 10G;
client_body_timeout 300s;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;
# The settings allows you to optimize the HTTP2 bandwidth.
# See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
# for tuning hints
client_body_buffer_size 512k;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Set .mjs and .wasm MIME types
# Either include it in the default mime.types list
# and include that list explicitly or add the file extension
# only for Nextcloud like below:
include mime.types;
types {
text/javascript mjs;
application/wasm wasm;
}
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;

93
nginx/vhost.d/tower_location_override Normal file
View File

@@ -0,0 +1,93 @@
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass http://$server_name;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0;
}
# Serve static files
location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
try_files $uri /index.php$request_uri;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Cache-Control "public, max-age=15778463$asset_immutable";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
access_log off; # Optional: Don't log access to assets
}
location ~ \.(otf|woff2?)$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}

7
searxng/limiter.toml Normal file
View File

@@ -0,0 +1,7 @@
# This configuration file updates the default configuration file
# See https://github.com/searxng/searxng/blob/master/searx/limiter.toml
[botdetection.ip_limit]
# activate advanced bot protection
# enable this when running the instance for a public usage on the internet
link_token = false

7
searxng/settings.yml Normal file
View File

@@ -0,0 +1,7 @@
# see https://docs.searxng.org/admin/settings/settings.html#settings-use-default-settings
use_default_settings: true
server:
limiter: true # enable this when running the instance for a public usage on the internet
image_proxy: true
redis:
url: redis://redis:6379/0