Fix default folder permissions

ansible/tasks/common/docker.yml

@@ -49,19 +49,19 @@
 - name: Make docker-compose executable
   shell: chmod +x /usr/local/bin/docker-compose
 
-- name: Disable iptables for docker by editing file /etc/default/docker
-  lineinfile:
-    path: /etc/default/docker
-    regexp: "^DOCKER_OPTS="
-    line: "DOCKER_OPTS=\"--iptables=false\""
-    state: present
+# - name: Disable iptables for docker by editing file /etc/default/docker
+#   lineinfile:
+#     path: /etc/default/docker
+#     regexp: "^DOCKER_OPTS="
+#     line: "DOCKER_OPTS=\"--iptables=false\""
+#     state: present
 
-- name: Create file /etc/docker/daemon.json with content hello world written inside
-  lineinfile:
-    path: /etc/docker/daemon.json
-    regexp: "^"
-    line: "{ \"iptables\": false }"
-    state: present
+# - name: Create file /etc/docker/daemon.json with content hello world written inside
+#   lineinfile:
+#     path: /etc/docker/daemon.json
+#     regexp: "^"
+#     line: "{ \"iptables\": false }"
+#     state: present
 
 - name: Create group docker
   group:

apps/filerun/docker-compose.yml

@@ -21,9 +21,9 @@ services:
       FR_DB_NAME: tipi
       FR_DB_USER: tipi
       FR_DB_PASS: tipi
-      APACHE_RUN_USER: www-data
+      APACHE_RUN_USER: ${PUID}
+      APACHE_RUN_GROUP: ${PGID}
       APACHE_RUN_USER_ID: 33
-      APACHE_RUN_GROUP: www-data
       APACHE_RUN_GROUP_ID: 33
     depends_on:
       - db

apps/jellyfin/docker-compose.yml

@@ -10,13 +10,9 @@ services:
     environment:
       - PUID=1000
       - PGID=1000
-      - TZ=Europe/London
-      # - JELLYFIN_PublishedServerUrl=192.168.0.5 #optional
+      - TZ=${TZ}
     restart: "unless-stopped"
     ports:
       - ${APP_PORT}:8096
     networks:
       - tipi_main_network
-    # Optional - alternative address used for autodiscovery
-    # environment:
-    #   - JELLYFIN_PublishedServerUrl=http://example.com

apps/nextcloud/docker-compose.yml

@@ -3,24 +3,21 @@ version: "3.7"
 services:
   db-nextcloud:
     container_name: db-nextcloud
-    # user: '1000:1000'
-    image: mariadb:10.5.12
-    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+    image: postgres:14.2
     restart: on-failure
     volumes:
-      - ${APP_DATA_DIR}/data/db:/var/lib/mysql
+      - ${APP_DATA_DIR}/data/db:/var/lib/postgresql/data
     environment:
-      - MYSQL_ROOT_PASSWORD=password
-      - MYSQL_PASSWORD=password
-      - MYSQL_DATABASE=nextcloud
-      - MYSQL_USER=nextcloud
+      - POSTGRES_PASSWORD=tipi
+      - POSTGRES_USER=tipi
+      - POSTGRES_DB=nextcloud
     networks:
       - tipi_main_network
 
   redis-nextcloud:
     container_name: redis-nextcloud
-    # user: '1000:1000'
-    image: redis:6.2.2-buster
+    user: "1000:1000"
+    image: redis:6.2.6
     restart: on-failure
     volumes:
       - "${APP_DATA_DIR}/data/redis:/data"
@@ -28,7 +25,7 @@ services:
       - tipi_main_network
 
   cron:
-    image: nextcloud:22.0.0-apache
+    image: nextcloud:23.0.3-apache
     restart: on-failure
     volumes:
       - ${APP_DATA_DIR}/data/nextcloud:/var/www/html
@@ -40,23 +37,23 @@ services:
       - tipi_main_network
 
   nextcloud:
-    user: root
     container_name: nextcloud
-    image: nextcloud:22.1.1-apache
+    image: nextcloud:23.0.3-apache
     restart: unless-stopped
     ports:
       - ${APP_PORT}:80
     volumes:
       - ${APP_DATA_DIR}/data/nextcloud:/var/www/html
+      - /volumes/nfs:/nfs
     environment:
-      - MYSQL_HOST=db-nextcloud
+      - POSTGRES_HOST=db-nextcloud
       - REDIS_HOST=redis-nextcloud
-      - MYSQL_PASSWORD=password
-      - MYSQL_DATABASE=nextcloud
-      - MYSQL_USER=nextcloud
+      - POSTGRES_PASSWORD=tipi
+      - POSTGRES_USER=tipi
+      - POSTGRES_DB=nextcloud
       - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}
       - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD}
-      - NEXTCLOUD_TRUSTED_DOMAINS=tipi.local
+      - NEXTCLOUD_TRUSTED_DOMAINS=tipi.local ${DEVICE_IP}:${APP_PORT}
     depends_on:
       - db-nextcloud
       - redis-nextcloud

apps/pi-hole/config.json

@@ -1,23 +0,0 @@
-{
-  "name": "PiHole",
-  "port": 8081,
-  "requirements": {
-    "ports": [53]
-  },
-  "id": "pi-hole",
-  "description": "",
-  "short_desc": "",
-  "author": "",
-  "source": "",
-  "image": "https://avatars.githubusercontent.com/u/16827203?s=200&v=4",
-  "form_fields": {
-    "password": {
-      "type": "password",
-      "label": "Password",
-      "max": 50,
-      "min": 3,
-      "required": true,
-      "env_variable": "APP_PASSWORD"
-    }
-  }
-}

apps/pi-hole/data/unbound_old/unbound_old.conf

@@ -1,24 +0,0 @@
-## DNS Over TLS, Simple ENCRYPTED recursive caching DNS, TCP port 853
-## unbound.conf, original at https://calomel.org/unbound_dns.html
-# tweaks by bartonbytes.com
-server:
-access-control: 127.0.0.0/8 allow
-cache-max-ttl: 14400
-cache-min-ttl: 600
-do-tcp: yes
-hide-identity: yes
-hide-version: yes
-interface: 127.0.0.1
-minimal-responses: yes
-prefetch: yes
-qname-minimisation: yes
-rrset-roundrobin: yes
-ssl-upstream: yes
-use-caps-for-id: yes
-verbosity: 1
-port: 5533
-#
-forward-zone:
-name: "."
-forward-addr: 194.242.2.3@853 # Mullvad primary
-forward-addr: 193.19.108.3@853 # Mullvad secondary

apps/pi-hole/docker-compose.yml

@@ -1,38 +0,0 @@
-version: "3.7"
-
-services:
-  # unbound:
-  #   container_name: unbound
-  #   mac_address: d0:ca:ab:cd:ef:02
-  #   image: mvance/unbound:latest
-  #   ports:
-  #     - 53/tcp
-  #     - 53/udp
-  #   volumes:
-  #     - ${APP_DATA_DIR}/data/unbound:/etc/unbound
-  #   networks:
-  #     - tipi_main_network
-  
-  pi-hole:
-    container_name: pi-hole
-    image: cbcrowe/pihole-unbound:latest
-    restart: on-failure
-    ports:
-      - 53:53/tcp
-      - 53:53/udp
-      - ${APP_PORT}:80
-    volumes:
-      - ${APP_DATA_DIR}/data/pihole:/etc/pihole/
-      - ${APP_DATA_DIR}/data/dnsmasq:/etc/dnsmasq.d/
-      - ${APP_DATA_DIR}/data/unbound:/etc/unbound/
-    environment:
-      TZ: ${TZ}
-      WEBPASSWORD: ${APP_PASSWORD}
-      PIHOLE_DNS_: 127.0.0.1#5335
-    networks:
-      - tipi_main_network
-    # labels:
-    #   traefik.enable: true
-    #   traefik.http.routers.traefik.rule: Host(`pihole.${DOMAIN}`)
-    #   traefik.http.services.traefik.loadbalancer.server.port: $APP_PI_HOLE_PORT
-

apps/pihole/config.json

@@ -0,0 +1,23 @@
+{
+    "name": "PiHole",
+    "port": 8081,
+    "requirements": {
+        "ports": [53]
+    },
+    "id": "pihole",
+    "description": "",
+    "short_desc": "",
+    "author": "",
+    "source": "",
+    "image": "https://avatars.githubusercontent.com/u/16827203?s=200&v=4",
+    "form_fields": {
+        "password": {
+            "type": "password",
+            "label": "Password",
+            "max": 50,
+            "min": 3,
+            "required": true,
+            "env_variable": "APP_PASSWORD"
+        }
+    }
+}

apps/pihole/docker-compose.yml

@@ -0,0 +1,24 @@
+version: "3.7"
+
+services:
+  pihole:
+    container_name: pihole
+    image: cbcrowe/pihole-unbound:latest
+    restart: unless-stopped
+    ports:
+      - 53:53/tcp
+      - 53:53/udp
+      - ${APP_PORT}:80
+    volumes:
+      - ${APP_DATA_DIR}/data/pihole:/etc/pihole
+      - ${APP_DATA_DIR}/data/dnsmasq:/etc/dnsmasq.d
+    environment:
+      TZ: ${TZ}
+      WEBPASSWORD: ${APP_PASSWORD}
+      PIHOLE_DNS_: 127.0.0.1#5335
+      FTLCONF_REPLY_ADDR4: 192.168.2.132
+      PIHOLE_DNS_: 127.0.0.1#5335
+      DNSSEC: "true"
+      DNSMASQ_LISTENING: single
+    networks:
+      - tipi_main_network

apps/syncthing/config.json

@@ -0,0 +1,12 @@
+{
+  "name": "Syncthing",
+  "port": 8090,
+  "id": "syncthing",
+  "description": "Syncthing is a peer-to-peer continuous file synchronization program. It synchronizes files between two or more computers in real time, safely protected from prying eyes. Your data is your data alone and you deserve to choose where it is stored, whether it is shared with some third party, and how it's transmitted over the internet.\n\nInstall the Syncthing app on your Umbrel and pair it with the Syncthing app on your phone or computer for a self hosted peer-to-peer backup solution.",
+  "short_desc": "Peer-to-peer file synchronization between your devices",
+  "author": "The Syncthing Foundation",
+  "source": "https://github.com/syncthing",
+  "website": "https://syncthing.net",
+  "image": "https://avatars.githubusercontent.com/u/7628018?s=200&v=4",
+  "form_fields": {}
+}

apps/syncthing/docker-compose.yml

@@ -0,0 +1,20 @@
+version: "3.7"
+
+services:
+  server:
+    image: syncthing/syncthing:1.19
+    stop_grace_period: 1m
+    hostname: tipi
+    environment:
+      - PUID=1000
+      - PGID=1000
+    volumes:
+      - ${APP_DATA_DIR}/data:/var/syncthing
+    ports:
+      - ${APP_PORT}:8384
+      - 22000:22000/tcp # TCP file transfers
+      - 22000:22000/udp # QUIC file transfers
+      - 21027:21027/udp # Receive local discovery broadcasts
+    restart: unless-stopped
+    networks:
+      - tipi_main_network

apps/transmission/docker-compose.yml

@@ -1,6 +1,7 @@
 version: "3.7"
 services:
   transmission:
+    user: 1000:1000
     image: lscr.io/linuxserver/transmission
     container_name: transmission
     environment:
@@ -22,4 +23,4 @@ services:
       - 51413:51413/udp
     restart: unless-stopped
     networks:
-      - tipi_main_network
+      - tipi_main_network

apps/wg-easy/config.json

@@ -24,6 +24,12 @@
       "min": 3,
       "required": true,
       "env_variable": "WIREGUARD_PASSWORD"
+    },
+    "dns": {
+      "type": "ip",
+      "label": "Default DNS server",
+      "required": false,
+      "env_variable": "WIREGUARD_DNS"
     }
   }
 }

apps/wg-easy/docker-compose.yml

@@ -4,25 +4,28 @@ services:
     container_name: wg-easy
     image: "meienberger/wg-easy:latest"
     restart: unless-stopped
-    network_mode: "host"
+    # network_mode: "host"
     volumes:
-      - ${APP_DATA_DIR}:/etc/wireguard
+      - ${APP_DATA_DIR}/data:/etc/wireguard
       - /lib/modules:/lib/modules
     ports:
-      - 51820:51820/udp
-      - ${APP_PORT}:51821
+      - 51822:51820/udp
+      - ${APP_PORT}:51821/tcp
     environment:
       WG_HOST: "${WIREGUARD_HOST}"
       PASSWORD: "${WIREGUARD_PASSWORD}"
-      WG_DEFAULT_DNS: 8.8.8.8
       WG_ALLOWED_IPS: 0.0.0.0/0,::/0
-      WG_FWMARK: 51820
+      WG_PORT: 51822
+      WG_DEFAULT_DNS: "${WIREGUARD_DNS:-8.8.8.8}"
+      # WG_FWMARK: 51820
     cap_add:
       - NET_ADMIN
       - SYS_MODULE
-    # sysctls:
-    # - net.ipv4.conf.all.src_valid_mark=1
-    # - net.ipv4.ip_forward=1
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+      - net.ipv4.ip_forward=1
+    networks:
+      - tipi_main_network
     # labels:
     #   traefik.enable: true
     #   traefik.http.routers.wireguard.rule: Host(`wireguard.tipi.home`)

dashboard/src/core/api.ts

@@ -1,6 +1,6 @@
 import axios, { Method } from 'axios';
 
-export const BASE_URL = 'http://192.168.2.146:3001';
+export const BASE_URL = 'http://192.168.2.132:3001';
 
 interface IFetchParams {
   endpoint: string;

scripts/app.sh

@@ -87,8 +87,10 @@ compose() {
 
   # Vars to use in compose file
   export APP_DATA_DIR="${app_data_dir}"
-  export APP_PASSWORD="password"
   export APP_DIR="${app_dir}"
+
+  # TODO: Fix for dynamic detection
+  export DEVICE_IP="192.168.2.132"
   export ROOT_FOLDER="${ROOT_FOLDER}"
 
   # Docker-compose does not support multiple env files

scripts/start.sh

@@ -24,6 +24,11 @@ if [[ ! -f "${STATE_FOLDER}/configured" ]]; then
   "${ROOT_FOLDER}/scripts/configure.sh"
 fi
 
+# Copy the app state if it isn't here
+if [[ ! -d "${STATE_FOLDER}/apps.json" ]]; then
+  cp "${STATE_FOLDER}/apps.example.json" "${STATE_FOLDER}/apps.json"
+fi
+
 ansible-playbook ansible/start.yml -i ansible/hosts -K
 
 export DOCKER_CLIENT_TIMEOUT=240

system-api/package-lock.json

@@ -7817,6 +7817,16 @@
       "integrity": "sha512-bzh50DW9kTPM00T8y4o8vQg89Di9oLJVLW/KaOGIXJWP/iqCN6WKYkbNOF04vFLJhwcpYUh9ydh/+5vpOqV4YQ==",
       "dev": true
     },
+    "node_modules/graphql": {
+      "version": "15.8.0",
+      "resolved": "https://registry.npmjs.org/graphql/-/graphql-15.8.0.tgz",
+      "integrity": "sha512-5gghUc24tP9HRznNpV2+FIoq3xKkj5dTQqf4v0CpdPbFVwFkWoxOM+o+2OC9ZSvjEMTjfmG9QT+gcvggTwW1zw==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">= 10.x"
+      }
+    },
     "node_modules/graphql-config": {
       "version": "3.4.1",
       "resolved": "https://registry.npmjs.org/graphql-config/-/graphql-config-3.4.1.tgz",
@@ -19897,6 +19907,13 @@
       "integrity": "sha512-bzh50DW9kTPM00T8y4o8vQg89Di9oLJVLW/KaOGIXJWP/iqCN6WKYkbNOF04vFLJhwcpYUh9ydh/+5vpOqV4YQ==",
       "dev": true
     },
+    "graphql": {
+      "version": "15.8.0",
+      "resolved": "https://registry.npmjs.org/graphql/-/graphql-15.8.0.tgz",
+      "integrity": "sha512-5gghUc24tP9HRznNpV2+FIoq3xKkj5dTQqf4v0CpdPbFVwFkWoxOM+o+2OC9ZSvjEMTjfmG9QT+gcvggTwW1zw==",
+      "dev": true,
+      "peer": true
+    },
     "graphql-config": {
       "version": "3.4.1",
       "resolved": "https://registry.npmjs.org/graphql-config/-/graphql-config-3.4.1.tgz",

system-api/src/config/apps.ts

@@ -1 +1 @@
-export const appNames = ['nextcloud', 'freshrss', 'anonaddy', 'filerun', 'wg-easy', 'radarr', 'transmission', 'jellyfin', 'pi-hole', 'busybox'];
+export const appNames = ['nextcloud', 'freshrss', 'anonaddy', 'filerun', 'wg-easy', 'radarr', 'transmission', 'jellyfin', 'pihole', 'busybox'];