brain.gharbeia.net: add Traefik router + update gharbeia-site to external LXC nginx

- Add brain router with Authentik forward-auth pointing to LXC nginx on 8082 - Update gharbeia-site-internal from production-1 Docker nginx to LXC nginx on 8083 - Add brain-internal service (10.10.10.29:8082)
audiomuse: fix .org source — entrypoints, no bouncer, port=8000, bridge network
2026-05-23 23:30:11 +00:00 · 2026-05-21 06:47:34 +00:00
4 changed files with 150 additions and 5 deletions
--- a/audiomuse.yaml
+++ b/audiomuse.yaml
@@ -26,9 +26,9 @@ services:
      - traefik.enable=true
      - traefik.http.routers.audiomuse.service=audiomuse
      - traefik.http.routers.audiomuse.rule=Host(`audiomuse.${CLOUDFLARE_DNS_ZONE:?err}`)
-      - traefik.http.routers.audiomuse.entrypoints=tunnel
+      - traefik.http.routers.audiomuse.entrypoints=tunnel,web,secureweb
      - traefik.http.routers.audiomuse.middlewares=authentik-forwardauth@file,security-headers@file
-      - traefik.http.services.audiomuse.loadbalancer.server.scheme=http
+      - traefik.http.services.audiomuse.loadbalancer.server.port=8000
      - traefik.http.services.audiomuse.loadbalancer.server.port=8000

  audiomuse-worker:
--- a/infrastructure.org
+++ b/infrastructure.org
@@ -502,7 +502,20 @@
   502|      tls:
   503|        certResolver: letsencrypt
   504|
-   505|    # -- Management ------------------------------------------------
+   505|    # -- Brain Knowledge Base (private, behind Authentik) ------------
+   506|
+   507|    brain:
+   508|      rule: "Host(`brain.gharbeia.net`)"
+   509|      service: brain-internal
+   510|      entryPoints:
+   511|        - secureweb
+   512|      tls:
+   513|        certResolver: letsencrypt
+   514|      middlewares:
+   515|        - authentik-forwardauth@file
+   516|        - security-headers@file
+   517|
+   518|    # -- Management ------------------------------------------------
   506|
   507|    gitea:
   508|      rule: "Host(`git.gharbeia.net`)"
@@ -696,8 +709,12 @@
   696|    gharbeia-site-internal:
   697|      loadBalancer:
   698|        servers:
-   699|          - url: http://gharbeia-site:80
-   700|    gitea-internal:
+   699|          - url: http://10.10.10.29:8083
+   700|    brain-internal:
+   701|      loadBalancer:
+   702|        servers:
+   703|          - url: "http://10.10.10.29:8082"
+   704|    gitea-internal:
   701|      loadBalancer:
   702|        servers:
   703|          - url: http://gitea:3000
--- a/tubearchivist.yaml
+++ b/tubearchivist.yaml
@@ -0,0 +1,63 @@
+services:
+  tubearchivist:
+    image: bbilly1/tubearchivist:latest
+    container_name: tubearchivist
+    restart: unless-stopped
+    depends_on:
+      gluetun:
+        condition: service_healthy
+        restart: true
+    network_mode: service:gluetun
+    volumes:
+      - ${FOLDER_FOR_MORE:?err}/media/youtube:/youtube
+      - ${FOLDER_FOR_DATA:?err}/tubearchivist/cache:/cache
+    environment:
+      - TZ=${TIMEZONE:?err}
+      - TA_USERNAME=${TA_USERNAME:?err}
+      - TA_PASSWORD=${TA_PASSWORD:?err}
+      - ES_URL=http://tubearchivist-es:9200
+      - REDIS_CON=redis://tubearchivist-redis:6379
+      - TA_HOST=https://tubearchivist.gharbeia.net
+      - ELASTIC_PASSWORD=tubearchivist
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.tubearchivist.service=tubearchivist
+      - traefik.http.routers.tubearchivist.rule=Host(`tubearchivist.${CLOUDFLARE_DNS_ZONE:?err}`)
+      - traefik.http.routers.tubearchivist.entrypoints=tunnel
+      - traefik.http.routers.tubearchivist.middlewares=authentik-forwardauth@file,security-headers@file,traefik-bouncer@file
+      - traefik.http.services.tubearchivist.loadbalancer.server.scheme=http
+      - traefik.http.services.tubearchivist.loadbalancer.server.port=8000
+
+  tubearchivist-es:
+    image: docker.elastic.co/elasticsearch/elasticsearch:8.17.0
+    container_name: tubearchivist-es
+    restart: unless-stopped
+    networks:
+      - networking
+    environment:
+      - discovery.type=single-node
+      - ES_JAVA_OPTS=-Xms512m -Xmx512m
+      - xpack.security.enabled=false
+      - path.repo=/usr/share/elasticsearch/data/snapshot
+    volumes:
+      - ${FOLDER_FOR_DATA:?err}/tubearchivist/es:/usr/share/elasticsearch/data
+    healthcheck:
+      test: curl -s http://localhost:9200/_cluster/health | grep -vq '"status":"red"'
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  tubearchivist-redis:
+    image: redis:7-alpine
+    container_name: tubearchivist-redis
+    restart: unless-stopped
+    networks:
+      - networking
+    command: --save 60 1 --loglevel warning
+    volumes:
+      - ${FOLDER_FOR_DATA:?err}/tubearchivist/redis:/data
+    healthcheck:
+      test: redis-cli ping | grep PONG
+      interval: 30s
+      timeout: 10s
+      retries: 3
--- a/tubearchivist_fixed.yaml
+++ b/tubearchivist_fixed.yaml
@@ -0,0 +1,65 @@
+services:
+  tubearchivist:
+    image: bbilly1/tubearchivist:latest
+    container_name: tubearchivist
+    restart: unless-stopped
+    depends_on:
+      gluetun:
+        condition: service_healthy
+        restart: true
+    network_mode: service:gluetun
+    volumes:
+      - ${FOLDER_FOR_MORE:?err}/media/youtube:/youtube
+      - ${FOLDER_FOR_DATA:?err}/tubearchivist/cache:/cache
+    environment:
+      - TZ=${TIMEZONE:?err}
+      - TA_USERNAME=${TA_USERNAME:?err}
+      - TA_PASSWORD=${TA_PASSWORD:?err}
+      - ES_URL=http://tubearchivist-es:9200
+      - REDIS_CON=redis://tubearchivist-redis:6379
+      - TA_HOST=https://tubearchivist.gharbeia.net
+      - ELASTIC_PASSWORD=tubearchivist
+      - HOST_UID=${PUID:?err}
+      - HOST_GID=${PGID:?err}
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.tubearchivist.service=tubearchivist
+      - traefik.http.routers.tubearchivist.rule=Host(`tubearchivist.${CLOUDFLARE_DNS_ZONE:?err}`)
+      - traefik.http.routers.tubearchivist.entrypoints=tunnel
+      - traefik.http.routers.tubearchivist.middlewares=authentik-forwardauth@file,security-headers@file,traefik-bouncer@file
+      - traefik.http.services.tubearchivist.loadbalancer.server.scheme=http
+      - traefik.http.services.tubearchivist.loadbalancer.server.port=8000
+
+  tubearchivist-es:
+    image: docker.elastic.co/elasticsearch/elasticsearch:8.17.0
+    container_name: tubearchivist-es
+    restart: unless-stopped
+    networks:
+      - networking
+    environment:
+      - discovery.type=single-node
+      - ES_JAVA_OPTS=-Xms512m -Xmx512m
+      - xpack.security.enabled=false
+      - path.repo=/usr/share/elasticsearch/data/snapshot
+    volumes:
+      - ${FOLDER_FOR_DATA:?err}/tubearchivist/es:/usr/share/elasticsearch/data
+    healthcheck:
+      test: curl -s http://localhost:9200/_cluster/health | grep -vq '"status":"red"'
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  tubearchivist-redis:
+    image: redis:7-alpine
+    container_name: tubearchivist-redis
+    restart: unless-stopped
+    networks:
+      - networking
+    command: --save 60 1 --loglevel warning
+    volumes:
+      - ${FOLDER_FOR_DATA:?err}/tubearchivist/redis:/data
+    healthcheck:
+      test: redis-cli ping | grep PONG
+      interval: 30s
+      timeout: 10s
+      retries: 3
Author	SHA1	Message	Date
Hermes	6ecfa3e0e9	brain.gharbeia.net: add Traefik router + update gharbeia-site to external LXC nginx - Add brain router with Authentik forward-auth pointing to LXC nginx on 8082 - Update gharbeia-site-internal from production-1 Docker nginx to LXC nginx on 8083 - Add brain-internal service (10.10.10.29:8082)	2026-05-23 23:30:11 +00:00
Hermes	61687cf5ad	audiomuse: fix .org source — entrypoints, no bouncer, port=8000, bridge network Plus new tubearchivist yaml configs	2026-05-21 06:47:34 +00:00