Add Pi-hole with AdGuard DOH/DOT integration, reorganize swarm stacks, add DNS/n8n docs

2025-12-18 15:38:57 +00:00
parent 827f8bbf9d
commit f0c525d0df
44 changed files with 3013 additions and 486 deletions
--- a/services/swarm/stacks/applications/applications-stack.yml
+++ b/services/swarm/stacks/applications/applications-stack.yml
@@ -0,0 +1,255 @@
+version: '3.8'
+
+networks:
+  traefik-public:
+    external: true
+  homelab-backend:
+    driver: overlay
+
+volumes:
+  paperless_data:
+  paperless_media:
+  paperless_db:
+  paperless_redis:
+  stirling_pdf_data:
+  searxng_data:
+
+secrets:
+  paperless_db_password:
+    external: true
+
+
+services:
+  paperless-redis:
+    image: redis:7-alpine
+    volumes:
+      - paperless_redis:/data
+    networks:
+      - homelab-backend
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 30s
+      timeout: 3s
+      retries: 3
+    deploy:
+      placement:
+        constraints:
+          - node.labels.leader == true
+      resources:
+        limits:
+          memory: 256M
+          cpus: '0.5'
+        reservations:
+          memory: 64M
+          cpus: '0.1'
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  paperless-db:
+    image: postgres:15-alpine
+    volumes:
+      - paperless_db:/var/lib/postgresql/data
+    networks:
+      - homelab-backend
+    environment:
+      - POSTGRES_DB=paperless
+      - POSTGRES_USER=paperless
+      - POSTGRES_PASSWORD_FILE=/run/secrets/paperless_db_password
+    secrets:
+      - paperless_db_password
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U paperless"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+    deploy:
+      placement:
+        constraints:
+          - node.labels.leader == true
+      resources:
+        limits:
+          memory: 512M
+          cpus: '1.0'
+        reservations:
+          memory: 256M
+          cpus: '0.25'
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  paperless:
+    image: ghcr.io/paperless-ngx/paperless-ngx:latest
+    volumes:
+      - paperless_data:/usr/src/paperless/data
+      - paperless_media:/usr/src/paperless/media
+    environment:
+      - PAPERLESS_REDIS=redis://paperless-redis:6379
+      - PAPERLESS_DBHOST=paperless-db
+      - PAPERLESS_DBNAME=paperless
+      - PAPERLESS_DBUSER=paperless
+      - PAPERLESS_DBPASS_FILE=/run/secrets/paperless_db_password
+      - PAPERLESS_URL=https://paperless.sterl.xyz
+      - PAPERLESS_SECRET_KEY=e83bed4e4604e760c0429188e1781b0a8f89de936336a53609340f6b3e2182b8
+      - TZ=America/Chicago
+    secrets:
+      - paperless_db_password
+
+    depends_on:
+      - paperless-redis
+      - paperless-db
+    networks:
+      - traefik-public
+      - homelab-backend
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8000/api/"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 90s
+    deploy:
+      placement:
+        constraints:
+          - node.labels.leader == true
+      resources:
+        limits:
+          memory: 1536M
+          cpus: '2.0'
+        reservations:
+          memory: 768M
+          cpus: '0.5'
+      restart_policy:
+        condition: on-failure
+        delay: 10s
+        max_attempts: 3
+      update_config:
+        parallelism: 1
+        delay: 10s
+        failure_action: rollback
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.paperless.rule=Host(`paperless.sterl.xyz`)"
+        - "traefik.http.routers.paperless.entrypoints=websecure"
+        - "traefik.http.routers.paperless.tls.certresolver=cfresolver"
+        - "traefik.http.services.paperless.loadbalancer.server.port=8000"
+        - "traefik.swarm.network=traefik-public"
+        - "tsdproxy.enable=true"
+        - "tsdproxy.name=paperless"
+        - "tsdproxy.container_port=8000"
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  stirling-pdf:
+    image: stirlingtools/stirling-pdf:latest
+    volumes:
+      - stirling_pdf_data:/configs
+    environment:
+      - DOCKER_ENABLE_SECURITY=false
+      - INSTALL_BOOK_AND_ADVANCED_HTML_OPS=false
+      - LANGS=en_US
+    networks:
+      - traefik-public
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+    deploy:
+      placement:
+        constraints:
+          - node.labels.leader == true
+      resources:
+        limits:
+          memory: 1536M
+          cpus: '2.0'
+        reservations:
+          memory: 768M
+          cpus: '0.5'
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+      update_config:
+        parallelism: 1
+        delay: 10s
+        failure_action: rollback
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.pdf.rule=Host(`pdf.sterl.xyz`)"
+        - "traefik.http.routers.pdf.entrypoints=websecure"
+        - "traefik.http.routers.pdf.tls.certresolver=cfresolver"
+        - "traefik.http.services.pdf.loadbalancer.server.port=8080"
+        - "traefik.swarm.network=traefik-public"
+        - "tsdproxy.enable=true"
+        - "tsdproxy.name=pdf"
+        - "tsdproxy.container_port=8080"
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  searxng:
+    image: searxng/searxng:latest
+    volumes:
+      - searxng_data:/etc/searxng
+    environment:
+      - SEARXNG_BASE_URL=https://search.sterl.xyz/
+    networks:
+      - traefik-public
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/healthz"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+    deploy:
+      placement:
+        constraints:
+          - node.labels.leader == true
+      resources:
+        limits:
+          memory: 1536M
+          cpus: '2.0'
+        reservations:
+          memory: 512M
+          cpus: '0.5'
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+      update_config:
+        parallelism: 1
+        delay: 10s
+        failure_action: rollback
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.searxng.rule=Host(`search.sterl.xyz`)"
+        - "traefik.http.routers.searxng.entrypoints=websecure"
+        - "traefik.http.routers.searxng.tls.certresolver=cfresolver"
+        - "traefik.http.services.searxng.loadbalancer.server.port=8080"
+        - "traefik.swarm.network=traefik-public"
+        - "tsdproxy.enable=true"
+        - "tsdproxy.name=search"
+        - "tsdproxy.container_port=8080"
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"