Merge remote-tracking branch 'origin/main'

authentik/Caddyfilepart

@@ -0,0 +1,5 @@
+auth.domr.ovh,
+auth.home.domroese.eu {
+  tls soenke@domroese.eu
+  reverse_proxy 192.168.1.65:8444
+}

authentik/docker-compose.yml

@@ -18,6 +18,15 @@ services:
       POSTGRES_DB: ${PG_DB:-authentik}
     env_file:
       - .env
+    labels:
+      kuma.tools.tag.name: 'Tools'
+      kuma.tools.tag.color: '#FF9900'
+      kuma.homelab.tag.name: 'homelab'
+      kuma.homelab.tag.color: '#FF9955'
+      kuma.authentik.http.name: 'Authentik'
+      kuma.authentik.http.url: 'https://auth.domr.ovh'
+      kuma.authentik.http.tag_names: '[{"name": "tools", "value": "" }, {"name": "homelab", "value": "" }]'
+
   redis:
     image: docker.io/library/redis:alpine
     command: --save 60 1 --loglevel warning

bookstack/Caddyfilepart

@@ -0,0 +1,5 @@
+bookstack.domr.ovh, 
+bookstack.home.domroese.eu {
+    tls soenke@domroese.eu        
+    reverse_proxy 192.168.1.65:6875
+}

bookstack/bookstack_app_data/.migrations

@@ -0,0 +1,2 @@
+01-nginx-site-confs-default
+02-default-location

bookstack/bookstack_app_data/keys/cert.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDsTCCApmgAwIBAgIUAhL0p4nHY1NEhr+VTdZNCMGFIAQwDQYJKoZIhvcNAQEL
+BQAwaDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMREwDwYDVQQHDAhDYXJsc2Jh
+ZDEXMBUGA1UECgwOTGludXhzZXJ2ZXIuaW8xFDASBgNVBAsMC0xTSU8gU2VydmVy
+MQowCAYDVQQDDAEqMB4XDTI1MDYxODEyMjc1MFoXDTM1MDYxNjEyMjc1MFowaDEL
+MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMREwDwYDVQQHDAhDYXJsc2JhZDEXMBUG
+A1UECgwOTGludXhzZXJ2ZXIuaW8xFDASBgNVBAsMC0xTSU8gU2VydmVyMQowCAYD
+VQQDDAEqMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvUo/5qXdmJTe
+9UEsTnS5+Kw+KDjXhcTdw3vHgHQrumxuz9RlM6qN43R4EXoWReqqKLZ5WPIUdtQo
+sNG2TYZdjDyZk9mKIH9SSHnD/Nczxd56A0xKvx8Y7neKsPDuX/Ffkv27fvVq0sa5
+nxfCaOXJYMGN/+KCZAStK3SjTai4jOfvqZj9/jdiOKOW/LUYK1jZ+7a5GpxwxRXv
+FbGf73afRUCLYbQv8o4Nb5U82WR6PomC1tNwj1iBDEH3k1BhXSjycxaD5RjV+LPx
+qnfT49k6mTSm7cSirisWJjDBMQZRQfGNRZHc0tavI9Ki3+LMXI9vV1+BT7Ul/RtG
+ubM2qajw5QIDAQABo1MwUTAdBgNVHQ4EFgQUTOJdmUzi7ydnUWZcDnTvq7kDsmow
+HwYDVR0jBBgwFoAUTOJdmUzi7ydnUWZcDnTvq7kDsmowDwYDVR0TAQH/BAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAUmdCgtKCkyY8e9ALK3QQAm+ZeuvPL/2o66+T
+GYjdQavuKvbXTgBO7reivWFLvf7sDhxxsLhzj98bPU/kp2aWZYW6e6n+T2jkkC2a
+pwrrJlfU6w6IsqjbVZ/34uRvbrdBZLDhDFvZviMFvZ2AZaqddlP4Tq0LVFK6nd3f
+S6/DYhMy9S85l86u4UqOkDoo/niFkOAUk2VFJhQDWe3I1cqN14eG3h05Um2pHuBm
+d1/wAePqaDYAAEKvpW73PCoBPId+rf19twUOiO5Ao/GjwzqhWP3iEV8sW/oWL22v
+KrHEGFG5/kxZWuc7MYKcWRr8caZAZR5hiS1nh0zRA+NIvz3vaQ==
+-----END CERTIFICATE-----

bookstack/bookstack_app_data/keys/cert.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC9Sj/mpd2YlN71
+QSxOdLn4rD4oONeFxN3De8eAdCu6bG7P1GUzqo3jdHgRehZF6qootnlY8hR21Ciw
+0bZNhl2MPJmT2Yogf1JIecP81zPF3noDTEq/Hxjud4qw8O5f8V+S/bt+9WrSxrmf
+F8Jo5clgwY3/4oJkBK0rdKNNqLiM5++pmP3+N2I4o5b8tRgrWNn7trkanHDFFe8V
+sZ/vdp9FQIthtC/yjg1vlTzZZHo+iYLW03CPWIEMQfeTUGFdKPJzFoPlGNX4s/Gq
+d9Pj2TqZNKbtxKKuKxYmMMExBlFB8Y1FkdzS1q8j0qLf4sxcj29XX4FPtSX9G0a5
+szapqPDlAgMBAAECggEADzdcBipAsz6KYrw7t83V0knkUD7rglcWPZviaG7OQhTr
+3nyUKxBTihyHd14xUqr/xTiP7ii9oOTCpZ4iEb7Sn86SSOqUmjKp9mYFbXqOMKKG
+++Ni4dS54BePeFRR0TgZxvrrGtRXIzzy2HlkOSL5qnO8urxmX2xp0EO2yewdc8Qg
+kYzi3K+FWRQXNS1L+lVERXgCl8skK6yPEPq2jhiQobhOV2R2AqfwEOGixnWRuWsV
+kKNvZn/Jp0rx1WCMy88LCDy/yh8LhyPkw181E1iC6Jghlb/Bc90OBQe/xH2463B6
+XK9z9nxE/8oSZD/N+NxIiHuuNP9gcJUDljDCL3Pw+QKBgQD7XU7ZzlWEM71YXWdc
+NhssmeSoSyx7//YMMZ07g4/OfJueqD+eqWaBKH1MZ0Y8pBRXWcoXcxDSLp64u9at
+YDW0nhlLi0UVjPRVXqMKJkDPiM3wAYHJ9g1k6hmLwxNdZPcm8L9CKdENV5UT6z/D
+99uLCKUkX+flYtdgu39zb07ffQKBgQDAx+NY3tjW6FeDWzAuoZBm2aADCzIAdzHO
+MD9rcLf5FwcalimCG17Jkwv0Feule84I/R2Plh4nJ19thh/PTeCgQW9dHiaepuPU
+Qy7ern2q5eFkFv6G9KmY4rDYYvSSmLKjNd2jwyQ/EO9y1Dc+J0sFbD//JMOY+I/p
+97j5Yv5jiQKBgAzmDdzJZMQC761wJZSqxhw0zXIBYYf/a33Wse3S43dCF649jf4z
+TSpFjKB2EDmeZdjRp7gqVGukrspmAS8mZ7sb/cpNnD7t27/hulYT/nFn4MF3IlTd
+xnQuOx9b5Et/mdsqsXXQtYSMwP6jrML+ngp1aBwEu96egtTY6kJfLNn1AoGAIfIQ
+olF7NTxsTID+Fvf0CWhAuMh74YEbkAcG49BRVNctNQ1D+dj/89akwDIr8FPAj+yi
+C+qPHK3eK9b2OvanmxBqn6bzffQ9Id9CnYt0LWeVLJ6v6uuiAX3JThD+p+GjcwHF
+KVTvSPuebkXYBGW+3BGXo0HB/2mlTbmFJMS9rqECgYB5M4IvvcLhzjN4DVwghfbO
+/pBSvrvy7QMaCGbC0G7byxQqYKPb50B3w3s9vCnu4SJm5LVNdbjmLDmid3c1huea
+RAEo6MT3QnRFY1HyjDeshp6BnQZrw+ITbMgy3vKpC+EPEhKrJHdLwvYBUTWFbREL
+eB8U3RObNfjNcwuLyCxxvA==
+-----END PRIVATE KEY-----

bookstack/bookstack_app_data/nginx/dhparams.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+-----END DH PARAMETERS-----

bookstack/bookstack_app_data/nginx/nginx.conf

@@ -0,0 +1,95 @@
+## Version 2024/12/17 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample
+
+### Based on alpine defaults
+# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.21-stable
+
+user abc;
+
+# Set number of worker processes automatically based on number of CPU cores.
+include /config/nginx/worker_processes.conf;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Configures default error logger.
+error_log /config/log/nginx/error.log;
+
+# Includes files with directives to load dynamic modules.
+include /etc/nginx/modules/*.conf;
+
+# Include files with config snippets into the root context.
+include /etc/nginx/conf.d/*.conf;
+
+events {
+    # The maximum number of simultaneous connections that can be opened by
+    # a worker process.
+    worker_connections 1024;
+}
+
+http {
+    # Includes mapping of file name extensions to MIME types of responses
+    # and defines the default type.
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # Name servers used to resolve names of upstream servers into addresses.
+    # It's also needed when using tcpsocket and udpsocket in Lua modules.
+    #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
+    include /config/nginx/resolver.conf;
+
+    # Don't tell nginx version to the clients. Default is 'on'.
+    server_tokens off;
+
+    # Specifies the maximum accepted body size of a client request, as
+    # indicated by the request header Content-Length. If the stated content
+    # length is greater than this size, then the client receives the HTTP
+    # error code 413. Set to 0 to disable. Default is '1m'.
+    client_max_body_size 0;
+
+    # Sendfile copies data between one FD and other from within the kernel,
+    # which is more efficient than read() + write(). Default is off.
+    sendfile on;
+
+    # Causes nginx to attempt to send its HTTP response head in one packet,
+    # instead of using partial frames. Default is 'off'.
+    tcp_nopush on;
+
+    # all ssl related config moved to ssl.conf
+    # included in server blocks where listen 443 is defined
+
+    # Enable gzipping of responses.
+    #gzip on;
+
+    # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
+    gzip_vary on;
+
+    # Helper variable for proxying websockets.
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    # Enable http2 by default for all servers
+    http2 on;
+
+    # Sets the path, format, and configuration for a buffered log write.
+    access_log /config/log/nginx/access.log;
+
+    client_body_temp_path /tmp/nginx 1 2;
+    proxy_temp_path /tmp/nginx-proxy;
+    fastcgi_temp_path /tmp/nginx-fastcgi;
+    uwsgi_temp_path /tmp/nginx-uwsgi;
+    scgi_temp_path /tmp/nginx-scgi;
+
+    proxy_cache_path /tmp/nginx-proxy-cache keys_zone=lsio-proxy:10m;
+    fastcgi_cache_path /tmp/nginx-fcgi-cache keys_zone=lsio-fcgi:10m;
+    scgi_cache_path /tmp/nginx-scgi-cache keys_zone=lsio-scgi:10m;
+    uwsgi_cache_path /tmp/nginx-uwsgi-cache keys_zone=lsio-uwsgi:10m;
+
+    # Includes virtual hosts configs.
+    include /etc/nginx/http.d/*.conf;
+    include /config/nginx/site-confs/*.conf;
+}
+
+daemon off;
+pid /run/nginx.pid;

bookstack/bookstack_app_data/nginx/nginx.conf.sample

@@ -0,0 +1,95 @@
+## Version 2024/12/17 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample
+
+### Based on alpine defaults
+# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.21-stable
+
+user abc;
+
+# Set number of worker processes automatically based on number of CPU cores.
+include /config/nginx/worker_processes.conf;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Configures default error logger.
+error_log /config/log/nginx/error.log;
+
+# Includes files with directives to load dynamic modules.
+include /etc/nginx/modules/*.conf;
+
+# Include files with config snippets into the root context.
+include /etc/nginx/conf.d/*.conf;
+
+events {
+    # The maximum number of simultaneous connections that can be opened by
+    # a worker process.
+    worker_connections 1024;
+}
+
+http {
+    # Includes mapping of file name extensions to MIME types of responses
+    # and defines the default type.
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # Name servers used to resolve names of upstream servers into addresses.
+    # It's also needed when using tcpsocket and udpsocket in Lua modules.
+    #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
+    include /config/nginx/resolver.conf;
+
+    # Don't tell nginx version to the clients. Default is 'on'.
+    server_tokens off;
+
+    # Specifies the maximum accepted body size of a client request, as
+    # indicated by the request header Content-Length. If the stated content
+    # length is greater than this size, then the client receives the HTTP
+    # error code 413. Set to 0 to disable. Default is '1m'.
+    client_max_body_size 0;
+
+    # Sendfile copies data between one FD and other from within the kernel,
+    # which is more efficient than read() + write(). Default is off.
+    sendfile on;
+
+    # Causes nginx to attempt to send its HTTP response head in one packet,
+    # instead of using partial frames. Default is 'off'.
+    tcp_nopush on;
+
+    # all ssl related config moved to ssl.conf
+    # included in server blocks where listen 443 is defined
+
+    # Enable gzipping of responses.
+    #gzip on;
+
+    # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
+    gzip_vary on;
+
+    # Helper variable for proxying websockets.
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    # Enable http2 by default for all servers
+    http2 on;
+
+    # Sets the path, format, and configuration for a buffered log write.
+    access_log /config/log/nginx/access.log;
+
+    client_body_temp_path /tmp/nginx 1 2;
+    proxy_temp_path /tmp/nginx-proxy;
+    fastcgi_temp_path /tmp/nginx-fastcgi;
+    uwsgi_temp_path /tmp/nginx-uwsgi;
+    scgi_temp_path /tmp/nginx-scgi;
+
+    proxy_cache_path /tmp/nginx-proxy-cache keys_zone=lsio-proxy:10m;
+    fastcgi_cache_path /tmp/nginx-fcgi-cache keys_zone=lsio-fcgi:10m;
+    scgi_cache_path /tmp/nginx-scgi-cache keys_zone=lsio-scgi:10m;
+    uwsgi_cache_path /tmp/nginx-uwsgi-cache keys_zone=lsio-uwsgi:10m;
+
+    # Includes virtual hosts configs.
+    include /etc/nginx/http.d/*.conf;
+    include /config/nginx/site-confs/*.conf;
+}
+
+daemon off;
+pid /run/nginx.pid;

bookstack/bookstack_app_data/nginx/resolver.conf

@@ -0,0 +1,3 @@
+# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.
+
+resolver  127.0.0.11 valid=30s;

bookstack/bookstack_app_data/nginx/site-confs/default.conf

@@ -0,0 +1,44 @@
+## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/site-confs/default.conf.sample
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    server_name _;
+
+    include /config/nginx/ssl.conf;
+
+    set $root /app/www/public;
+    if (!-d /app/www/public) {
+        set $root /config/www;
+    }
+    root $root;
+    index index.html index.htm index.php;
+
+    location / {
+        # enable for basic auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
+    }
+
+    location ~ ^(.+\.php)(.*)$ {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        fastcgi_split_path_info ^(.+\.php)(.*)$;
+        if (!-f $document_root$fastcgi_script_name) { return 404; }
+        fastcgi_pass 127.0.0.1:9000;
+        fastcgi_index index.php;
+        include /etc/nginx/fastcgi_params;
+    }
+
+    # deny access to .htaccess/.htpasswd files
+    location ~ /\.ht {
+        deny all;
+    }
+}

bookstack/bookstack_app_data/nginx/site-confs/default.conf.sample

@@ -0,0 +1,44 @@
+## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/site-confs/default.conf.sample
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    server_name _;
+
+    include /config/nginx/ssl.conf;
+
+    set $root /app/www/public;
+    if (!-d /app/www/public) {
+        set $root /config/www;
+    }
+    root $root;
+    index index.html index.htm index.php;
+
+    location / {
+        # enable for basic auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
+    }
+
+    location ~ ^(.+\.php)(.*)$ {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        fastcgi_split_path_info ^(.+\.php)(.*)$;
+        if (!-f $document_root$fastcgi_script_name) { return 404; }
+        fastcgi_pass 127.0.0.1:9000;
+        fastcgi_index index.php;
+        include /etc/nginx/fastcgi_params;
+    }
+
+    # deny access to .htaccess/.htpasswd files
+    location ~ /\.ht {
+        deny all;
+    }
+}

bookstack/bookstack_app_data/nginx/ssl.conf

@@ -0,0 +1,32 @@
+## Version 2024/12/06 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample
+
+### Mozilla Recommendations
+# generated 2024-12-06, Mozilla Guideline v5.7, nginx 1.26.2, OpenSSL 3.3.2, intermediate config, no OCSP
+# https://ssl-config.mozilla.org/#server=nginx&version=1.26.2&config=intermediate&openssl=3.3.2&ocsp=false&guideline=5.7
+
+ssl_certificate /config/keys/cert.crt;
+ssl_certificate_key /config/keys/cert.key;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ssl_session_tickets off;
+
+# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+ssl_dhparam /config/nginx/dhparams.pem;
+
+# intermediate configuration
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+ssl_prefer_server_ciphers off;
+
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+#add_header Strict-Transport-Security "max-age=63072000" always;
+
+# Optional additional headers
+#add_header Cache-Control "no-transform" always;
+#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always;
+#add_header Permissions-Policy "interest-cohort=()" always;
+#add_header Referrer-Policy "same-origin" always;
+#add_header X-Content-Type-Options "nosniff" always;
+#add_header X-Frame-Options "SAMEORIGIN" always;
+#add_header X-UA-Compatible "IE=Edge" always;
+#add_header X-XSS-Protection "1; mode=block" always;

bookstack/bookstack_app_data/nginx/ssl.conf.sample

@@ -0,0 +1,32 @@
+## Version 2024/12/06 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample
+
+### Mozilla Recommendations
+# generated 2024-12-06, Mozilla Guideline v5.7, nginx 1.26.2, OpenSSL 3.3.2, intermediate config, no OCSP
+# https://ssl-config.mozilla.org/#server=nginx&version=1.26.2&config=intermediate&openssl=3.3.2&ocsp=false&guideline=5.7
+
+ssl_certificate /config/keys/cert.crt;
+ssl_certificate_key /config/keys/cert.key;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ssl_session_tickets off;
+
+# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+ssl_dhparam /config/nginx/dhparams.pem;
+
+# intermediate configuration
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+ssl_prefer_server_ciphers off;
+
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+#add_header Strict-Transport-Security "max-age=63072000" always;
+
+# Optional additional headers
+#add_header Cache-Control "no-transform" always;
+#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always;
+#add_header Permissions-Policy "interest-cohort=()" always;
+#add_header Referrer-Policy "same-origin" always;
+#add_header X-Content-Type-Options "nosniff" always;
+#add_header X-Frame-Options "SAMEORIGIN" always;
+#add_header X-UA-Compatible "IE=Edge" always;
+#add_header X-XSS-Protection "1; mode=block" always;

bookstack/bookstack_app_data/nginx/worker_processes.conf

@@ -0,0 +1,3 @@
+# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.
+
+worker_processes 4;

bookstack/bookstack_app_data/php/php-local.ini

@@ -0,0 +1,3 @@
+; Edit this file to override php.ini directives
+
+date.timezone = Etc/UTC

bookstack/bookstack_app_data/php/www2.conf

@@ -0,0 +1,5 @@
+; Edit this file to override www.conf and php-fpm.conf directives and restart the container
+
+; Pool name
+[www]
+

bookstack/bookstack_app_data/www/.env

@@ -0,0 +1,46 @@
+# This file, when named as ".env" in the root of your BookStack install
+# folder, is used for the core configuration of the application.
+# By default this file contains the most common required options but
+# a full list of options can be found in the '.env.example.complete' file.
+
+# NOTE: If any of your values contain a space or a hash you will need to
+# wrap the entire value in quotes. (eg. MAIL_FROM_NAME="BookStack Mailer")
+
+# Application key
+# Used for encryption where needed.
+# Run `php artisan key:generate` to generate a valid key.
+APP_KEY=SomeRandomString
+
+# Application URL
+# This must be the root URL that you want to host BookStack on.
+# All URLs in BookStack will be generated using this value
+# to ensure URLs generated are consistent and secure.
+# If you change this in the future you may need to run a command
+# to update stored URLs in the database. Command example:
+# php artisan bookstack:update-url https://old.example.com https://new.example.com
+APP_URL=https://example.com
+
+# Database details
+DB_HOST=localhost
+DB_DATABASE=database_database
+DB_USERNAME=database_username
+DB_PASSWORD=database_user_password
+
+# Mail system to use
+# Can be 'smtp' or 'sendmail'
+MAIL_DRIVER=smtp
+
+# Mail sender details
+MAIL_FROM_NAME="BookStack"
+MAIL_FROM=bookstack@example.com
+
+# SMTP mail options
+# These settings can be checked using the "Send a Test Email"
+# feature found in the "Settings > Maintenance" area of the system.
+# For more detailed documentation on mail options, refer to:
+# https://www.bookstackapp.com/docs/admin/email-webhooks/#email-configuration
+MAIL_HOST=localhost
+MAIL_PORT=587
+MAIL_USERNAME=null
+MAIL_PASSWORD=null
+MAIL_ENCRYPTION=null

bookstack/bookstack_app_data/www/index.html

@@ -0,0 +1,34 @@
+    <html>
+        <head>
+            <title>Welcome to our server</title>
+            <style>
+            body{
+                font-family: Helvetica, Arial, sans-serif;
+            }
+            .message{
+                width:330px;
+                padding:20px 40px;
+                margin:0 auto;
+                background-color:#f9f9f9;
+                border:1px solid #ddd;
+            }
+            center{
+                margin:40px 0;
+            }
+            h1{
+                font-size: 18px;
+                line-height: 26px;
+            }
+            p{
+                font-size: 12px;
+            }
+            </style>
+        </head>
+        <body>
+            <div class="message">
+                <h1>Welcome to our server</h1>
+                <p>The website is currently being setup under this address.</p>
+                <p>For help and support, please contact: <a href="me@example.com">me@example.com</a></p>
+            </div>
+        </body>
+    </html>

bookstack/bookstack_db_data/custom.cnf

@@ -0,0 +1,196 @@
+## custom configuration file based on https://github.com/just-containers/mariadb/blob/master/rootfs/etc/mysql/my.cnf
+## please be aware that changing options here may break things
+#
+# The MySQL database server configuration file.
+#
+# One can use all long options that the program supports.
+# Run program with --help to get a list of available options and with
+# --print-defaults to see which it would actually understand and use.
+#
+# For explanations see
+# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
+
+# This will be passed to all mysql clients
+# It has been reported that passwords should be enclosed with ticks/quotes
+# especially if they contain "#" chars...
+[client]
+port            = 3306
+socket          = /run/mysqld/mysqld.sock
+
+default-character-set = utf8mb4
+
+# Here is entries for some specific programs
+# The following values assume you have at least 32M ram
+
+# This was formally known as [safe_mysqld]. Both versions are currently parsed.
+[mysqld_safe]
+socket          = /run/mysqld/mysqld.sock
+nice            = 0
+
+[mysqld]
+#
+# * Basic Settings
+#
+user            = abc
+pid-file        = /run/mysqld/mysqld.pid
+socket          = /run/mysqld/mysqld.sock
+port            = 3306
+basedir         = /usr
+datadir         = /var/lib/mysql
+tmpdir          = /tmp
+lc_messages_dir = /usr/share/mariadb
+lc_messages     = en_US
+skip-external-locking
+#
+# Instead of skip-networking the default is now to listen only on
+# localhost which is more compatible and is not less secure.
+#bind-address           = 127.0.0.1
+#
+# * Fine Tuning
+#
+key_buffer_size         = 128M
+max_connections         = 100
+connect_timeout         = 5
+wait_timeout            = 600
+max_allowed_packet      = 16M
+thread_cache_size       = 128
+thread_stack            = 192K
+sort_buffer_size        = 4M
+bulk_insert_buffer_size = 16M
+tmp_table_size          = 32M
+max_heap_table_size     = 32M
+
+#performance_schema = on
+character_set_server    = utf8mb4
+collation_server        = utf8mb4_general_ci
+transaction_isolation   = READ-COMMITTED
+binlog_format           = MIXED
+
+#
+# * MyISAM
+#
+# This replaces the startup script and checks MyISAM tables if needed
+# the first time they are touched. On error, make copy and try a repair.
+myisam-recover-options  = BACKUP
+#open-files-limit       = 2000
+table_open_cache        = 400
+#table_cache            = 64
+#thread_concurrency     = 10
+myisam_sort_buffer_size = 512M
+concurrent_insert       = 2
+read_buffer_size        = 2M
+read_rnd_buffer_size    = 1M
+#
+# * Query Cache Configuration
+#
+# Cache only tiny result sets, so we can fit more in the query cache.
+query_cache_limit               = 128K
+query_cache_size                = 64M
+# for more write intensive setups, set to DEMAND or OFF
+query_cache_type               = DEMAND
+#
+# * Logging and Replication
+#
+console                 = 1
+# Both location gets rotated by the cronjob.
+# Be aware that this log type is a performance killer.
+# As of 5.1 you can enable the log at runtime!
+#general_log             = 1
+#general_log_file        = /config/log/mysql/mysql.log
+#
+# Error log - should be very few entries.
+#
+log_warnings            = 2
+# Error logging goes to syslog due to /etc/mysql/conf.d/mysqld_safe_syslog.cnf
+log_error               = /config/log/mysql/mariadb-error.log
+#
+# Enable the slow query log to see queries with especially long duration
+slow_query_log          = 1
+slow_query_log_file     = /config/log/mysql/mariadb-slow.log
+long_query_time         = 5
+#log_slow_rate_limit    = 1000
+#log-queries-not-using-indexes
+#log_slow_admin_statements
+#
+# The following can be used as easy to replay backup logs or for replication.
+# note: if you are setting up a replication slave, see
+#       https://mariadb.com/kb/en/setting-up-replication/
+#       about other settings you may need to change.
+#server-id              = 1
+#report_host            = master1
+#auto_increment_increment = 2
+#auto_increment_offset  = 1
+log_bin                 = /config/log/mysql/mariadb-bin
+log_bin_index           = /config/log/mysql/mariadb-bin.index
+# not fab for performance, but safer
+#sync_binlog             = 1
+#binlog_do_db            = include_database_name
+#binlog_ignore_db        = include_database_name
+expire_logs_days        = 10
+max_binlog_size         = 100M
+# slaves
+#relay_log              = /config/log/mysql/relay-bin
+#relay_log_index        = /config/log/mysql/relay-bin.index
+#relay_log_info_file    = /config/log/mysql/relay-bin.info
+#log_slave_updates
+#read_only
+#
+# If applications support it, this stricter sql_mode prevents some
+# mistakes like inserting invalid dates etc.
+#sql_mode               = NO_ENGINE_SUBSTITUTION,TRADITIONAL
+#
+# * InnoDB
+#
+# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
+# Read the manual for more InnoDB related options. There are many!
+default_storage_engine  = InnoDB
+# you can't just change log file size, requires special procedure
+#innodb_log_file_size   = 50M
+innodb_buffer_pool_size = 256M
+innodb_log_buffer_size  = 8M
+innodb_file_per_table   = 1
+innodb_open_files       = 400
+innodb_io_capacity      = 400
+innodb_flush_method     = O_DIRECT
+#
+# * Security Features
+#
+# Read the manual, too, if you want chroot!
+# chroot = /var/lib/mysql/
+#
+# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
+#
+# ssl-ca=/etc/mysql/cacert.pem
+# ssl-cert=/etc/mysql/server-cert.pem
+# ssl-key=/etc/mysql/server-key.pem
+
+[mysqldump]
+quick
+quote-names
+max_allowed_packet      = 16M
+
+[mysql]
+#no-auto-rehash # faster start of mysql but no tab completion
+
+[isamchk]
+key_buffer         = 16M
+
+#
+# * Galera-related settings
+#
+[galera]
+# Mandatory settings
+#wsrep_on=ON
+#wsrep_provider=
+#wsrep_cluster_address=
+#binlog_format=MIXED
+#default_storage_engine=InnoDB
+#innodb_autoinc_lock_mode=2
+#
+# Allow server to accept connections on all interfaces.
+#
+#bind-address=0.0.0.0
+#
+# Optional setting
+#wsrep_slave_threads=1
+#innodb_flush_log_at_trx_commit=0

bookstack/bookstack_db_data/databases/bookstack/db.opt

@@ -0,0 +1,2 @@
+default-character-set=utf8mb4
+default-collation=utf8mb4_general_ci

bookstack/bookstack_db_data/databases/ib_buffer_pool

@@ -0,0 +1,169 @@
+7,3
+7,2
+7,1
+7,0
+6,6
+6,5
+6,4
+6,3
+6,2
+6,1
+6,0
+5,3
+5,2
+5,1
+5,0
+4,3
+4,2
+4,1
+4,0
+3,2
+2,2
+1,2
+0,9
+0,2
+1,45
+3,44
+2,44
+1,44
+3,43
+2,43
+1,43
+3,42
+2,42
+1,42
+3,41
+2,41
+1,41
+3,40
+2,40
+1,40
+3,39
+2,39
+1,39
+3,38
+2,38
+1,38
+3,37
+2,37
+1,37
+3,36
+2,36
+1,36
+3,35
+2,35
+1,35
+3,34
+2,34
+1,34
+3,33
+2,33
+1,33
+3,32
+2,32
+1,32
+3,31
+2,31
+1,31
+3,30
+2,30
+1,30
+3,29
+2,29
+1,29
+3,28
+2,28
+1,28
+3,27
+2,27
+1,27
+3,26
+2,26
+1,26
+3,25
+2,25
+1,25
+3,24
+2,24
+1,24
+3,23
+2,23
+1,23
+3,22
+2,22
+1,22
+3,21
+2,21
+1,21
+3,20
+2,20
+1,20
+3,19
+2,19
+1,19
+3,18
+2,18
+1,18
+3,17
+2,17
+1,17
+3,16
+2,16
+1,16
+3,15
+2,15
+1,15
+3,14
+2,14
+1,14
+3,13
+2,13
+1,13
+3,12
+2,12
+1,12
+3,11
+2,11
+1,11
+3,10
+2,10
+1,10
+3,9
+2,9
+1,9
+3,8
+2,8
+1,8
+3,7
+2,7
+1,7
+3,6
+2,6
+1,6
+3,5
+2,5
+1,5
+3,4
+2,4
+1,4
+3,3
+3,0
+2,3
+2,0
+1,3
+1,0
+0,6
+0,0
+0,47
+0,46
+0,49
+0,48
+0,45
+0,12
+0,10
+0,8
+0,11
+0,5
+0,7
+0,4
+0,3

bookstack/bookstack_db_data/databases/mariadb_upgrade_info

@@ -0,0 +1 @@
+11.4.4-MariaDB

bookstack/bookstack_db_data/databases/mysql/db.opt

@@ -0,0 +1,2 @@
+default-character-set=utf8mb4
+default-collation=utf8mb4_general_ci