Tobias Wüst
c10b46276a
Deploy BookStack with linuxserver.io images behind Traefik, including Entra ID OIDC SSO support and a daily backup timer. Stack: - lscr.io/linuxserver/bookstack:version-v26.03.3 - lscr.io/linuxserver/mariadb:11.4.9 - Traefik labels for websecure entrypoint on internal network - Healthcheck via mariadb-admin ping (LSIO image lacks healthcheck.sh) Features: - Persistent APP_KEY generated on first run, stored in volume dir - Optional OIDC SSO via Microsoft Entra ID (configurable per-instance) - Idempotent admin user creation with DB-based existence check - Daily systemd timer backup (DB dump + uploads tar + APP_KEY) with configurable retention Implementation notes: - DB queries use --protocol=tcp with the app user because root@localhost uses unix_socket auth in the LSIO MariaDB image (no password) and root@% does not exist - docker_container_exec uses argv: (list) instead of command: (string) to avoid argument-splitting issues - Migration-wait task ensures users table exists before admin check, since /login returns 200 before Laravel migrations complete - no_log: true on all tasks that reference DB or admin passwords - artisan absolute path (/app/www/artisan) because LSIO image WORKDIR is not the app directory Adds bookstack route to DMZ Traefik service registry.
53 lines
No EOL
1.2 KiB
YAML
53 lines
No EOL
1.2 KiB
YAML
# Services to be exposed through the DMZ reverse proxy
|
|
traefik_dmz_exposed_services:
|
|
- name: httpbin
|
|
domain: httpbin.local.test
|
|
port: 443
|
|
protocol: https
|
|
- name: keycloak
|
|
domain: keycloak.local.test
|
|
port: 443
|
|
protocol: https
|
|
- name: garage-webui
|
|
domain: console.storage.local.test
|
|
port: 443
|
|
protocol: https
|
|
- name: nextcloud
|
|
domain: nextcloud.local.test
|
|
port: 443
|
|
protocol: https
|
|
- name: nextcloud-collabora
|
|
domain: office.local.test
|
|
port: 443
|
|
protocol: https
|
|
- name: authentik
|
|
domain: authentik.local.test
|
|
port: 443
|
|
protocol: https
|
|
- name: homarr
|
|
domain: home.local.test
|
|
port: 443
|
|
protocol: https
|
|
- name: opnform
|
|
domain: forms.local.test
|
|
port: 443
|
|
protocol: https
|
|
- name: bookstack
|
|
domain: wiki.local.test
|
|
port: 443
|
|
protocol: https
|
|
# Example: Add more services as you deploy them
|
|
# - name: forgejo
|
|
# domain: git.example.com
|
|
# port: 3000
|
|
# protocol: http
|
|
|
|
# - name: nextcloud
|
|
# domain: cloud.example.com
|
|
# port: 80
|
|
# protocol: http
|
|
|
|
traefik_use_ssl: false # disable SSL redirect for vagrant
|
|
|
|
traefik_use_ssl_dashboard: true # still use SSL for dashboard
|
|
traefik_dashboard_domain: "traefik.backend.local.test" |