template updates

library/compose/authentik/template.yaml

@@ -97,4 +97,3 @@ spec:
         type: str
         sensitive: true
         autogenerated: true
-        default: ""

library/compose/bind9/template.yaml

@@ -43,6 +43,7 @@ metadata:
        docker exec bind9 named-checkzone home.arpa /var/lib/bind/db.home.arpa
 
     For more information, visit: https://bind9.readthedocs.io/
+  draft: true
 spec:
   general:
     vars:

library/compose/gitea/.env.gitea.j2

@@ -2,19 +2,19 @@
 # Contains Gitea-specific settings and database connection strings
 
 # Timezone
-TZ={{ container_timezone | default('UTC') }}
+TZ={{ container_timezone }}
 
 # User/Group IDs
-USER_UID={{ user_uid | default(1000) }}
-USER_GID={{ user_gid | default(1000) }}
+USER_UID={{ user_uid}}
+USER_GID={{ user_gid}}
 
 # Database Configuration
 GITEA__database__DB_TYPE=postgres
-GITEA__database__HOST={{ service_name | default('gitea') }}-postgres:5432
-GITEA__database__NAME={{ database_name | default('gitea') }}
-GITEA__database__USER={{ database_user | default('gitea') }}
-GITEA__database__PASSWD={{ database_password | default('gitea') }}
+GITEA__database__HOST={{ service_name }}-postgres:5432
+GITEA__database__NAME={{ database_name }}
+GITEA__database__USER={{ database_user }}
+GITEA__database__PASSWD={{ database_password }}
 
 # Server Configuration
-GITEA__server__SSH_PORT={{ gitea_ssh_port | default(2221) }}
-GITEA__server__ROOT_URL={{ gitea_root_url | default('http://localhost:3000') }}
+GITEA__server__SSH_PORT={{ gitea_ssh_port }}
+GITEA__server__ROOT_URL={{ gitea_root_url }}

library/compose/gitea/.env.postgres.j2

@@ -2,8 +2,8 @@
 # Contains only database credentials needed by Postgres container
 
 # Timezone
-TZ={{ container_timezone | default('UTC') }}
+TZ={{ container_timezone }}
 
-POSTGRES_USER={{ database_user | default('gitea') }}
-POSTGRES_PASSWORD={{ database_password | default('gitea') }}
-POSTGRES_DB={{ database_name | default('gitea') }}
+POSTGRES_USER={{ database_user }}
+POSTGRES_PASSWORD={{ database_password }}
+POSTGRES_DB={{ database_name }}

library/compose/gitea/compose.yaml.j2

@@ -1,30 +1,35 @@
 services:
-  {{ service_name | default('gitea') }}:
+  {{ service_name }}:
     image: docker.io/gitea/gitea:1.24.5
-    container_name: {{ container_name | default('gitea-server') }}
+    container_name: {{ container_name }}
     env_file:
       - .env.gitea
     {% if ports_enabled %}
     ports:
-      - "{{ ports_http | default(3000) }}:3000"
-      - "{{ ports_ssh | default(2221) }}:22"
+      - {{ ports_http }}:3000
+      - {{ ports_ssh }}:22
     {% endif %}
-    {% if network_enabled %}
+    {% if network_enabled or traefik_enabled %}
     networks:
-      - {{ network_name | default('bridge') }}
+      {% if network_enabled %}
+      - {{ network_name }}
+      {% endif %}
+      {% if traefik_enabled %}
+      - {{ traefik_network }}
+      {% endif %}
     {% endif %}
     {% if traefik_enabled %}
     labels:
       - traefik.enable=true
-      - traefik.http.services.{{ service_name | default('gitea') }}.loadbalancer.server.port=3000
-      - traefik.http.services.{{ service_name | default('gitea') }}.loadbalancer.server.scheme=http
-      - traefik.http.routers.{{ service_name | default('gitea') }}-http.rule=Host(`{{ traefik_host }}`)
-      - traefik.http.routers.{{ service_name | default('gitea') }}-http.entrypoints={{ traefik_entrypoint | default('web') }}
+      - traefik.http.services.{{ service_name }}.loadbalancer.server.port=3000
+      - traefik.http.services.{{ service_name }}.loadbalancer.server.scheme=http
+      - traefik.http.routers.{{ service_name }}-http.rule=Host(`{{ traefik_host }}`)
+      - traefik.http.routers.{{ service_name }}-http.entrypoints={{ traefik_entrypoint }}
       {% if traefik_tls_enabled %}
-      - traefik.http.routers.{{ service_name | default('gitea') }}-https.rule=Host(`{{ traefik_host }}`)
-      - traefik.http.routers.{{ service_name | default('gitea') }}-https.entrypoints={{ traefik_tls_entrypoint | default('websecure') }}
-      - traefik.http.routers.{{ service_name | default('gitea') }}-https.tls=true
-      - traefik.http.routers.{{ service_name | default('gitea') }}-https.tls.certresolver={{ traefik_tls_certresolver }}
+      - traefik.http.routers.{{ service_name }}-https.rule=Host(`{{ traefik_host }}`)
+      - traefik.http.routers.{{ service_name }}-https.entrypoints={{ traefik_tls_entrypoint  }}
+      - traefik.http.routers.{{ service_name }}-https.tls=true
+      - traefik.http.routers.{{ service_name }}-https.tls.certresolver={{ traefik_tls_certresolver }}
       {% endif %}
     {% endif %}
     volumes:
@@ -32,28 +37,33 @@ services:
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
     depends_on:
-      - {{ service_name | default('gitea') }}-postgres
-    restart: {{ restart_policy | default('unless-stopped') }}
+      - {{ service_name }}-postgres
+    restart: {{ restart_policy }}
 
   {% if not database_external %}
-  {{ service_name | default('gitea') }}-postgres:
+  {{ service_name }}-postgres:
     image: docker.io/library/postgres:17.6
-    container_name: {{ service_name | default('gitea') }}-db
+    container_name: {{ service_name }}-db
     env_file:
       - .env.postgres
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U {{ database_user | default('gitea') }}"]
+      test: ["CMD-SHELL", "pg_isready -U {{ database_user }}"]
       start_period: 30s
       interval: 10s
       timeout: 10s
       retries: 5
     volumes:
       - gitea-db:/var/lib/postgresql/data
-    {% if network_enabled %}
+    {% if network_enabled or traefik_enabled %}
     networks:
-      - {{ network_name | default('bridge') }}
+      {% if network_enabled %}
+      - {{ network_name }}
+      {% endif %}
+      {% if traefik_enabled %}
+      - {{ traefik_network }}
+      {% endif %}
     {% endif %}
-    restart: {{ restart_policy | default('unless-stopped') }}
+    restart: {{ restart_policy }}
   {% endif %}
 
 volumes:
@@ -64,11 +74,16 @@ volumes:
     driver: local
   {% endif %}
 
-{% if network_enabled %}
+{% if network_enabled or traefik_enabled %}
 networks:
-  {{ network_name | default('bridge') }}:
+  {% if network_enabled %}
+  {{ network_name }}:
     {% if network_external %}
     external: true
     {% endif %}
+  {% endif %}
+  {% if traefik_enabled %}
+  {{ traefik_network }}:
+    external: true
+  {% endif %}
 {% endif %}
-

library/compose/gitea/template.yaml

@@ -21,8 +21,21 @@ metadata:
     - version-control
     - development
 spec:
+  general:
+    vars:
+      service_name:
+        default: "gitea"
+      container_name:
+        default: "gitea"
   database:
     required: true
+    vars:
+      database_type:
+        default: "postgres"
+      database_name:
+        default: "gitea"
+      database_user:
+        default: "gitea"
   ports:
     vars:
       ports_http:
@@ -33,6 +46,10 @@ spec:
         description: "Host port for SSH Git access"
         type: int
         default: 2221
+  traefik:
+    vars:
+      traefik_host:
+        default: gitea.home.arpa
   gitea:
     description: "Configure Gitea application settings"
     required: true

library/compose/gitlab/compose.yaml.j2

@@ -1,7 +1,7 @@
 services:
-  {{ service_name | default('gitlab') }}:
+  {{ service_name }}:
     image: docker.io/gitlab/gitlab-ce:18.3.1-ce.0
-    container_name: {{ container_name | default('gitlab') }}
+    container_name: {{ container_name }}
     shm_size: '256m'
 {% if traefik_enabled %}
     networks:
@@ -28,11 +28,11 @@ services:
       - traefik.http.services.{{ container_name }}.loadbalancer.server.scheme=http
       - traefik.http.routers.{{ container_name }}-http.service={{ container_name }}
       - traefik.http.routers.{{ container_name }}-http.rule=Host(`{{ traefik_host }}`)
-      - traefik.http.routers.{{ container_name }}-http.entrypoints={{ traefik_entrypoint | default('web') }}
+      - traefik.http.routers.{{ container_name }}-http.entrypoints={{ traefik_entrypoint }}
       {% if traefik_tls_enabled %}
       - traefik.http.routers.{{ container_name }}-https.service={{ container_name }}
       - traefik.http.routers.{{ container_name }}-https.rule=Host(`{{ traefik_host }}`)
-      - traefik.http.routers.{{ container_name }}-https.entrypoints={{ traefik_tls_entrypoint | default('websecure') }}
+      - traefik.http.routers.{{ container_name }}-https.entrypoints={{ traefik_tls_entrypoint }}
       - traefik.http.routers.{{ container_name }}-https.tls=true
       - traefik.http.routers.{{ container_name }}-https.tls.certresolver={{ traefik_tls_certresolver }}
       {% endif %}
@@ -41,11 +41,11 @@ services:
       - traefik.http.services.{{ container_name }}-registry.loadbalancer.server.scheme=http
       - traefik.http.routers.{{ container_name }}-registry-http.service={{ container_name }}-registry
       - traefik.http.routers.{{ container_name }}-registry-http.rule=Host(`{{ registry_hostname }}`)
-      - traefik.http.routers.{{ container_name }}-registry-http.entrypoints={{ traefik_entrypoint | default('web') }}
+      - traefik.http.routers.{{ container_name }}-registry-http.entrypoints={{ traefik_entrypoint }}
       {% if traefik_tls_enabled %}
       - traefik.http.routers.{{ container_name }}-registry-https.service={{ container_name }}-registry
       - traefik.http.routers.{{ container_name }}-registry-https.rule=Host(`{{ registry_hostname }}`)
-      - traefik.http.routers.{{ container_name }}-registry-https.entrypoints={{ traefik_tls_entrypoint | default('websecure') }}
+      - traefik.http.routers.{{ container_name }}-registry-https.entrypoints={{ traefik_tls_entrypoint }}
       - traefik.http.routers.{{ container_name }}-registry-https.tls=true
       - traefik.http.routers.{{ container_name }}-registry-https.tls.certresolver={{ traefik_tls_certresolver }}
       {% endif %}

library/compose/gitlab/template.yaml

@@ -23,6 +23,10 @@ metadata:
 spec:
   general:
     vars:
+      service_name:
+        default: "gitlab"
+      container_name:
+        default: "gitlab"
       external_url:
         type: string
         description: External URL for GitLab (e.g., https://gitlab.example.com)
@@ -45,6 +49,10 @@ spec:
         type: int
         description: HTTPS port (disabled if using Traefik)
         default: 443
+  traefik:
+    vars:
+      traefik_host:
+        default: gitlab.home.arpa
   registry:
     description: GitLab Container Registry configuration
     required: false

library/compose/grafana/compose.yaml.j2

@@ -1,45 +1,56 @@
 services:
-  {{ service_name | default('grafana') }}:
+  {{ service_name }}:
     image: docker.io/grafana/grafana-oss:12.1.1
-    container_name: {{ container_name | default('grafana') }}
+    container_name: {{ container_name }}
     environment:
-      - TZ={{ container_timezone | default('UTC') }}
+      - TZ={{ container_timezone }}
       {% if container_hostname -%}
       - GF_SERVER_DOMAIN={{ container_hostname }}
       {% endif %}
     {% if ports_enabled %}
     ports:
-      - "{{ ports_http | default(3000) }}:3000"
+      - "{{ ports_http }}:3000"
     {% endif %}
     volumes:
       - grafana-data:/var/lib/grafana
-    {% if network_enabled %}
+    {% if network_enabled or traefik_enabled %}
     networks:
-      - {{ network_name | default('bridge') }}
+      {% if network_enabled %}
+      - {{ network_name }}
+      {% endif %}
+      {% if traefik_enabled %}
+      - {{ traefik_network }}
+      {% endif %}
     {% endif %}
     {% if traefik_enabled %}
     labels:
       - traefik.enable=true
-      - traefik.http.services.{{ service_name | default('grafana') }}.loadbalancer.server.port=3000
-      - traefik.http.routers.{{ service_name | default('grafana') }}-http.rule=Host(`{{ traefik_host }}`)
-      - traefik.http.routers.{{ service_name | default('grafana') }}-http.entrypoints={{ traefik_entrypoint | default('web') }}
+      - traefik.http.services.{{ service_name }}.loadbalancer.server.port=3000
+      - traefik.http.routers.{{ service_name }}-http.rule=Host(`{{ traefik_host }}`)
+      - traefik.http.routers.{{ service_name }}-http.entrypoints={{ traefik_entrypoint }}
       {% if traefik_tls_enabled %}
-      - traefik.http.routers.{{ service_name | default('grafana') }}-https.rule=Host(`{{ traefik_host }}`)
-      - traefik.http.routers.{{ service_name | default('grafana') }}-https.entrypoints={{ traefik_tls_entrypoint | default('websecure') }}
-      - traefik.http.routers.{{ service_name | default('grafana') }}-https.tls=true
-      - traefik.http.routers.{{ service_name | default('grafana') }}-https.tls.certresolver={{ traefik_tls_certresolver }}
+      - traefik.http.routers.{{ service_name }}-https.rule=Host(`{{ traefik_host }}`)
+      - traefik.http.routers.{{ service_name }}-https.entrypoints={{ traefik_tls_entrypoint }}
+      - traefik.http.routers.{{ service_name }}-https.tls=true
+      - traefik.http.routers.{{ service_name }}-https.tls.certresolver={{ traefik_tls_certresolver }}
       {% endif %}
     {% endif %}
-    restart: {{ restart_policy | default('unless-stopped') }}
+    restart: {{ restart_policy }}
 
 volumes:
   grafana-data:
     driver: local
 
-{% if network_enabled %}
+{% if network_enabled or traefik_enabled %}
 networks:
-  {{ network_name | default('bridge') }}:
+  {% if network_enabled %}
+  {{ network_name }}:
     {% if network_external %}
     external: true
     {% endif %}
+  {% endif %}
+  {% if traefik_enabled %}
+  {{ traefik_network }}:
+    external: true
+  {% endif %}
 {% endif %}

library/compose/grafana/template.yaml

@@ -12,9 +12,19 @@ metadata:
   - observability
   - dashboard
 spec:
+  general:
+    vars:
+      service_name:
+        default: "grafana"
+      container_name:
+        default: "grafana"
   ports:
     vars:
       ports_http:
         description: "Host port for HTTP (3000)"
         type: int
         default: 3000
+  traefik:
+    vars:
+      traefik_host:
+        default: grafana.home.arpa

library/compose/homer/compose.yaml.j2

@@ -1,38 +1,49 @@
 services:
-  {{ service_name | default('homer') }}:
+  {{ service_name }}:
     image: docker.io/b4bz/homer:v25.08.1
-    container_name: {{ container_name | default('homer') }}
+    container_name: {{ container_name }}
     environment:
-      - TZ={{ container_timezone | default('UTC') }}
+      - TZ={{ container_timezone }}
     {% if ports_enabled %}
     ports:
-      - "{{ ports_http | default(8080) }}:8080"
+      - "{{ ports_http }}:8080"
     {% endif %}
     volumes:
       - ./assets:/www/assets
-    {% if network_enabled %}
+    {% if network_enabled or traefik_enabled %}
     networks:
-      - {{ network_name | default('bridge') }}
+      {% if network_enabled %}
+      - {{ network_name }}
+      {% endif %}
+      {% if traefik_enabled %}
+      - {{ traefik_network }}
+      {% endif %}
     {% endif %}
     {% if traefik_enabled %}
     labels:
       - traefik.enable=true
-      - traefik.http.services.{{ service_name | default('homer') }}.loadbalancer.server.port=8080
-      - traefik.http.routers.{{ service_name | default('homer') }}-http.rule=Host(`{{ traefik_host }}`)
-      - traefik.http.routers.{{ service_name | default('homer') }}-http.entrypoints={{ traefik_entrypoint | default('web') }}
+      - traefik.http.services.{{ service_name }}.loadbalancer.server.port=8080
+      - traefik.http.routers.{{ service_name }}-http.rule=Host(`{{ traefik_host }}`)
+      - traefik.http.routers.{{ service_name }}-http.entrypoints={{ traefik_entrypoint }}
       {% if traefik_tls_enabled %}
-      - traefik.http.routers.{{ service_name | default('homer') }}-https.rule=Host(`{{ traefik_host }}`)
-      - traefik.http.routers.{{ service_name | default('homer') }}-https.entrypoints={{ traefik_tls_entrypoint | default('websecure') }}
-      - traefik.http.routers.{{ service_name | default('homer') }}-https.tls=true
-      - traefik.http.routers.{{ service_name | default('homer') }}-https.tls.certresolver={{ traefik_tls_certresolver }}
+      - traefik.http.routers.{{ service_name }}-https.rule=Host(`{{ traefik_host }}`)
+      - traefik.http.routers.{{ service_name }}-https.entrypoints={{ traefik_tls_entrypoint }}
+      - traefik.http.routers.{{ service_name }}-https.tls=true
+      - traefik.http.routers.{{ service_name }}-https.tls.certresolver={{ traefik_tls_certresolver }}
       {% endif %}
     {% endif %}
-    restart: {{ restart_policy | default('unless-stopped') }}
+    restart: {{ restart_policy }}
 
-{% if network_enabled %}
+{% if network_enabled or traefik_enabled %}
 networks:
-  {{ network_name | default('bridge') }}:
+  {% if network_enabled %}
+  {{ network_name }}:
     {% if network_external %}
     external: true
     {% endif %}
+  {% endif %}
+  {% if traefik_enabled %}
+  {{ traefik_network }}:
+    external: true
+  {% endif %}
 {% endif %}

library/compose/homer/template.yaml

@@ -45,6 +45,10 @@ metadata:
 spec:
   general:
     vars:
+      service_name:
+        default: "homer"
+      container_name:
+        default: "homer"
       homer_title:
         description: "Dashboard title"
         type: str
@@ -63,3 +67,7 @@ spec:
         description: "Host port for HTTP (8080)"
         type: int
         default: 8080
+  traefik:
+    vars:
+      traefik_host:
+        default: homer.home.arpa

library/compose/portainer/compose.yaml.j2

@@ -1,47 +1,58 @@
 services:
-  {{ service_name | default('portainer') }}:
-    container_name: {{ container_name | default('portainer') }}
+  {{ service_name }}:
+    container_name: {{ container_name }}
     image: docker.io/portainer/portainer-ce:2.33.1-alpine
     environment:
-      - TZ={{ container_timezone | default('UTC') }}
+      - TZ={{ container_timezone }}
     {% if ports_enabled %}
     ports:
-      - "{{ ports_http | default(9000) }}:9000"
-      - "{{ ports_https | default(9443) }}:9443"
-      - "{{ ports_edge | default(8000) }}:8000"
+      - "{{ ports_http }}:9000"
+      - "{{ ports_https }}:9443"
+      - "{{ ports_edge }}:8000"
     {% endif %}
     volumes:
       - /run/docker.sock:/var/run/docker.sock
       - portainer-data:/data
-    {% if network_enabled %}
+    {% if network_enabled or traefik_enabled %}
     networks:
-      - {{ network_name | default('bridge') }}
+      {% if network_enabled %}
+      - {{ network_name }}
+      {% endif %}
+      {% if traefik_enabled %}
+      - {{ traefik_network }}
+      {% endif %}
     {% endif %}
     {% if traefik_enabled %}
     labels:
       - traefik.enable=true
-      - traefik.http.services.{{ service_name | default('portainer') }}.loadbalancer.server.port=9000
-      - traefik.http.routers.{{ service_name | default('portainer') }}-http.service={{ service_name | default('portainer') }}
-      - traefik.http.routers.{{ service_name | default('portainer') }}-http.rule=Host(`{{ traefik_host }}`)
-      - traefik.http.routers.{{ service_name | default('portainer') }}-http.entrypoints={{ traefik_entrypoint | default('web') }}
+      - traefik.http.services.{{ service_name }}.loadbalancer.server.port=9000
+      - traefik.http.routers.{{ service_name }}-http.service={{ service_name }}
+      - traefik.http.routers.{{ service_name }}-http.rule=Host(`{{ traefik_host }}`)
+      - traefik.http.routers.{{ service_name }}-http.entrypoints={{ traefik_entrypoint }}
       {% if traefik_tls_enabled %}
-      - traefik.http.routers.{{ service_name | default('portainer') }}-https.service={{ service_name | default('portainer') }}
-      - traefik.http.routers.{{ service_name | default('portainer') }}-https.rule=Host(`{{ traefik_host }}`)
-      - traefik.http.routers.{{ service_name | default('portainer') }}-https.entrypoints={{ traefik_tls_entrypoint | default('websecure') }}
-      - traefik.http.routers.{{ service_name | default('portainer') }}-https.tls=true
-      - traefik.http.routers.{{ service_name | default('portainer') }}-https.tls.certresolver={{ traefik_tls_certresolver }}
+      - traefik.http.routers.{{ service_name }}-https.service={{ service_name }}
+      - traefik.http.routers.{{ service_name }}-https.rule=Host(`{{ traefik_host }}`)
+      - traefik.http.routers.{{ service_name }}-https.entrypoints={{ traefik_tls_entrypoint }}
+      - traefik.http.routers.{{ service_name }}-https.tls=true
+      - traefik.http.routers.{{ service_name }}-https.tls.certresolver={{ traefik_tls_certresolver }}
       {% endif %}
     {% endif %}
-    restart: {{ restart_policy | default('unless-stopped') }}
+    restart: {{ restart_policy }}
 
 volumes:
   portainer-data:
     driver: local
 
-{% if network_enabled %}
+{% if network_enabled or traefik_enabled %}
 networks:
-  {{ network_name | default('bridge') }}:
+  {% if network_enabled %}
+  {{ network_name }}:
     {% if network_external %}
     external: true
     {% endif %}
+  {% endif %}
+  {% if traefik_enabled %}
+  {{ traefik_network }}:
+    external: true
+  {% endif %}
 {% endif %}

library/compose/portainer/template.yaml

@@ -11,6 +11,12 @@ metadata:
   - docker
   - compose
 spec:
+  general:
+    vars:
+      service_name:
+        default: "portainer"
+      container_name:
+        default: "portainer"
   ports:
     vars:
       ports_http:
@@ -25,3 +31,7 @@ spec:
         description: "Host port for Edge agent (8000)"
         type: int
         default: 8000
+  traefik:
+    vars:
+      traefik_host:
+        default: portainer.home.arpa

library/compose/traefik/template.yaml

@@ -16,6 +16,46 @@ metadata:
   tags:
     - reverse-proxy
     - load-balancer
+  next_steps: |
+    1. Start Traefik:
+       docker compose up -d
+
+    2. Configure your domain DNS:
+       - Point your domain A/AAAA records to your server IP
+       {% if traefik_tls_enabled -%}
+       - Configure DNS API credentials in .env file
+       - Ensure {{ traefik_tls_acme_provider }} API token has DNS edit permissions
+       {%- endif %}
+
+    3. Access the dashboard:
+       {% if traefik_dashboard_enabled -%}
+       - Dashboard: http://localhost:8080
+       - WARNING: Dashboard is in insecure mode - don't use in production!
+       {%- else -%}
+       - Dashboard is disabled (secure production setup)
+       - Enable it temporarily by setting traefik_dashboard_enabled=true
+       {%- endif %}
+
+    4. Deploy your services:
+       - Ensure services use the '{{ network_name }}' network
+       - Add Traefik labels to your service containers
+       - Services will be automatically discovered and routed
+
+    5. Configuration files:
+       - Static config: config/traefik.yml
+       - Dynamic config: config/conf.d/*.yml
+       {% if traefik_tls_enabled -%}
+       - TLS certificates: certs/acme.json
+       {%- endif %}
+
+    6. Security recommendations:
+       - Disable dashboard in production (traefik_dashboard_enabled=false)
+       - Use TLS/HTTPS for all services
+       - Store API tokens in Docker secrets (Swarm) or secure vaults
+       - Regularly update Traefik to latest version
+       - Review and limit network exposure
+
+    For more information, visit: https://doc.traefik.io/traefik/
 spec:
   general:
     title: "General"