feat: add Tube Archivist (clean install)

infrastructure.org

@@ -600,6 +600,18 @@ http:
         - security-headers@file
         - traefik-bouncer@file
 
+    tubearchivist:
+      rule: "Host(`tubearchivist.gharbeia.net`)"
+      service: tubearchivist-internal
+      entryPoints:
+        - secureweb
+      tls:
+        certResolver: letsencrypt
+      middlewares:
+        - authentik-forwardauth@file
+        - security-headers@file
+        - traefik-bouncer@file
+
     traefik-dashboard:
       rule: "Host(`traefik.gharbeia.net`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
       service: traefik-dashboard-internal
@@ -721,6 +733,10 @@ http:
       loadBalancer:
         servers:
           - url: http://traefik:8080
+    tubearchivist-internal:
+      loadBalancer:
+        servers:
+          - url: http://tubearchivist:8000
 #+END_SRC
 
 All 28 routers follow the same pattern. The service URLs point to Docker DNS
@@ -860,11 +876,12 @@ include:
       - services/stash.yaml
       - services/tdarr.yaml
       - services/tdarr-node.yaml
+      - services/tubearchivist.yaml
       - services/audiobookshelf.yaml
       - services/whisparr.yaml
 #+END_SRC
 
-All 43 services are organized alphabetically by category in the include list.
+All 44 services are organized alphabetically by category in the include list.
 The order matters for startup dependencies: infrastructure services (gluetun,
 postgresql, valkey, authentik, traefik) come first.
 
@@ -1183,6 +1200,90 @@ services:
       - /docker/appdata/unbound/unbound.conf:/opt/unbound/etc/unbound/unbound.conf:ro
 #+END_SRC
 
+** Tube Archivist — YouTube Archiving
+
+Tube Archivist downloads and indexes YouTube channels, playlists, and
+videos. Full-text search, metadata browsing, subscription management.
+
+The stack has three containers:
+- =tubearchivist= (main app) — Django web UI on port 8000
+- =tubearchivist-es= — Elasticsearch 8.17 for metadata + search
+- =tubearchivist-redis= — Redis for Celery task queue
+
+Tube Archivist does NOT need VPN routing (reaches YouTube directly).
+
+#+BEGIN_SRC yaml :tangle /docker/compose/services/tubearchivist.yaml
+services:
+  tubearchivist:
+    image: bbilly1/tubearchivist:latest
+    container_name: tubearchivist
+    restart: unless-stopped
+    networks:
+      - networking
+    ports:
+      - ${WEBUI_PORT_TUBEARCHIVIST:-8000}:8000
+    environment:
+      - TZ=${TIMEZONE:?err}
+      - TA_USERNAME=${TA_USERNAME:?err}
+      - TA_PASSWORD=${TA_PASSWORD:?err}
+      - ES_URL=http://tubearchivist-es:9200
+      - REDIS_CON=redis://tubearchivist-redis:6379
+      - HOST_UID=${PUID:?err}
+      - HOST_GID=${PGID:?err}
+      - ELASTIC_PASSWORD=tubearchivist
+      - TA_HOST=tubearchivist.gharbeia.net
+    volumes:
+      - ${FOLDER_FOR_DATA:?err}/tubearchivist/media:/youtube
+      - ${FOLDER_FOR_DATA:?err}/tubearchivist/cache:/cache
+    depends_on:
+      tubearchivist-es:
+        condition: service_healthy
+      tubearchivist-redis:
+        condition: service_healthy
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.tubearchivist.service=tubearchivist
+      - traefik.http.routers.tubearchivist.rule=Host(`tubearchivist.${CLOUDFLARE_DNS_ZONE:?err}`)
+      - traefik.http.routers.tubearchivist.entrypoints=tunnel
+      - traefik.http.routers.tubearchivist.middlewares=authentik-forwardauth@file,security-headers@file,traefik-bouncer@file
+      - traefik.http.services.tubearchivist.loadbalancer.server.scheme=http
+      - traefik.http.services.tubearchivist.loadbalancer.server.port=8000
+
+  tubearchivist-es:
+    image: docker.elastic.co/elasticsearch/elasticsearch:8.17.0
+    container_name: tubearchivist-es
+    restart: unless-stopped
+    networks:
+      - networking
+    environment:
+      - discovery.type=single-node
+      - ES_JAVA_OPTS=-Xms512m -Xmx512m
+      - xpack.security.enabled=false
+      - path_repo=/usr/share/elasticsearch/data/snapshot
+    volumes:
+      - ${FOLDER_FOR_DATA:?err}/tubearchivist/es:/usr/share/elasticsearch/data
+    healthcheck:
+      test: curl -s http://localhost:9200/_cluster/health | grep -vq '"status":"red"'
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  tubearchivist-redis:
+    image: redis:7-alpine
+    container_name: tubearchivist-redis
+    restart: unless-stopped
+    networks:
+      - networking
+    command: --save 60 1 --loglevel warning
+    volumes:
+      - ${FOLDER_FOR_DATA:?err}/tubearchivist/redis:/data
+    healthcheck:
+      test: redis-cli ping | grep PONG
+      interval: 30s
+      timeout: 10s
+      retries: 3
+#+END_SRC
+
 ** Remaining Services
 
 The following services follow the same pattern as those documented above.
@@ -1209,6 +1310,7 @@ definition, environment, volumes, and Traefik labels.
 - =qbittorrent.yaml, sabnzbd.yaml= — Torrent and usenet clients
 - =stash.yaml= — Adult content library manager
 - =tdarr.yaml, tdarr-node.yaml= — Media transcoding automation
+- =tubearchivist.yaml= — YouTube archiving (Tube Archivist)
 - =audiobookshelf.yaml= — Audiobook and podcast server
 
 * .env Configuration
@@ -1221,9 +1323,17 @@ Key variables:
 - =CLOUDFLARE_DNS_ZONE= (=gharbeia.net=) is used in all Traefik routes
 - =PUID= and =PGID= control file ownership (1000:1000)
 - =TUNNEL_TOKEN= is the Cloudflare tunnel auth token (managed externally)
+- =TA_USERNAME= and =TA_PASSWORD= — Tube Archivist admin credentials
 
 * LOGBOOK
 
+** [2026-05-16 Sat 22:45] Tube Archivist installed
+- 3-container stack: tubearchivist, ES 8.17, Redis
+- Traefik secureweb/tunnel/internal routers
+- Static TA_HOST=tubearchivist.gharbeia.net, ELASTIC_PASSWORD=tubearchivist
+- REDIS_CON connection string (newer TA uses this instead of REDIS_HOST+REDIS_PORT)
+- ES 8.17 with path_repo and xpack.security.enabled=false
+
 ** [2026-05-15 Thu 09:30] Jellyfin SSO fixed — KnownProxies and Two-Step Flow
 - Root cause: Jellyfin's empty KnownProxies caused SSO plugin to use HTTP
   base URL, breaking the JavaScript two-step auth flow (iframe/POST/redirect)