diff --git a/.gitignore b/.gitignore index 314044f..9b15a56 100644 --- a/.gitignore +++ b/.gitignore @@ -34,4 +34,8 @@ Temporary Items # iCloud generated files *.icloud +# rumdl cache directories +.rumdl_cache/ +**/.rumdl_cache/ + # End of https://www.toptal.com/developers/gitignore/api/macos \ No newline at end of file diff --git a/README.md b/README.md index 49fa59d..5e6111e 100644 --- a/README.md +++ b/README.md @@ -501,4 +501,4 @@ See [CONTRIBUTING.md](/CONTRIBUTING.md) for guidance on adding services with the ## License -[MIT](https://choosealicense.com/licenses/mit/) +[MIT](https://choosealicense.com/licenses/mit/) \ No newline at end of file diff --git a/services/filebrowser/.env b/services/filebrowser/.env new file mode 100644 index 0000000..fd58305 --- /dev/null +++ b/services/filebrowser/.env @@ -0,0 +1,20 @@ +#version=1.1 +#URL=https://github.com/tailscale-dev/ScaleTail +#COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure. + +# Service Configuration +SERVICE=filebrowser # Service name (e.g., adguard). Used as hostnme in Tailscale and for ctainer naming (app-${SERVICE}). +IMAGE_URL=filebrowser/filebrowser:s6 # Docker image URL from container registry (e.g., adguard/adguard-home). + +# Network Configuration +SERVICEPORT=80 # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable. +DNS_SERVER=9.9.9.9 # Preferred DNS server for Tailscale. Uncomment the "dns:" section in compose.yaml to enable. + +# Tailscale Configuration +TS_AUTHKEY= # Auth key from https://tailscale.com/admin/authkeys. See: https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key for instructions. + +# Time Zone setting for containers +TZ=Europe/Amsterdam # See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones + +# Optional Service variables +# PUID=1000 diff --git a/services/filebrowser/README.md b/services/filebrowser/README.md new file mode 100644 index 0000000..d94ef06 --- /dev/null +++ b/services/filebrowser/README.md @@ -0,0 +1,41 @@ +# Filebrowser with Tailscale Sidecar Configuration + +This Docker Compose configuration sets up **Filebrowser** with a Tailscale sidecar container, enabling secure, private access to your self-hosted web file manager over your Tailnet. With this setup, your Filebrowser instance is **not exposed to the public internet** and is only accessible from authorized devices connected via Tailscale. + +## Filebrowser + +[**Filebrowser**](https://github.com/filebrowser/filebrowser) is a lightweight, self-hosted web file manager that provides a clean browser-based interface for managing files inside a specified directory. It can be used to upload, download, delete, preview, rename, and edit files directly from a web interface. + +Filebrowser is often used as a simple "create-your-own-cloud" style service. You point it at a directory on your server, then manage that directory through the browser instead of needing direct SSH, SMB, SFTP, or local filesystem access. It also supports multiple users, making it useful for small teams, home labs, shared storage locations, and private file management workflows. + +## Key Features + +- 📂 Web-based file management for a configured server directory +- ⬆️ Upload, download, rename, move, copy, delete, preview, and edit files +- 👥 Multi-user support with user-specific scopes and permissions +- 🔗 File and folder sharing options for controlled access +- 🧭 Simple browser interface for managing server-side files +- 🧰 Lightweight deployment with minimal service overhead +- 🔐 Tailnet-only access when paired with the included Tailscale sidecar + +## Usage Notes + +Make sure to get your initial admin password from the Docker logs. + +![Initial Admin Password in Logs](images/initial-admin-password-in-logs.png) + +Once logged in, review the configured user accounts, permissions, sharing settings, and file root path before using the service with important data. Since Filebrowser can directly modify files on the mounted host directory, permissions should be treated carefully. + +## Files to Check + +- `compose.yaml` - Main Docker Compose configuration for Filebrowser and the Tailscale sidecar +- `.env` - Environment variables such as `TS_AUTHKEY`, Tailscale hostname, and any deployment-specific values +- Mounted file directory - Host path exposed to Filebrowser for web-based file management +- Filebrowser database/config path - Persistent storage for users, settings, permissions, and configuration + +## References + +- [Filebrowser Website](https://filebrowser.org/) +- [Filebrowser GitHub Repository](https://github.com/filebrowser/filebrowser) +- [Filebrowser Docker Image](https://hub.docker.com/r/filebrowser/filebrowser) +- [Tailscale Docker Documentation](https://tailscale.com/kb/1282/docker) diff --git a/services/filebrowser/compose.yml b/services/filebrowser/compose.yml new file mode 100644 index 0000000..aa017c2 --- /dev/null +++ b/services/filebrowser/compose.yml @@ -0,0 +1,71 @@ +configs: + ts-serve: + content: | + {"TCP":{"443":{"HTTPS":true}}, + "Web":{"$${TS_CERT_DOMAIN}:443": + {"Handlers":{"/": + {"Proxy":"http://127.0.0.1:80"}}}}, + "AllowFunnel":{"$${TS_CERT_DOMAIN}:443":false}} + +services: +# Make sure you have updated/checked the .env file with the correct variables. +# All the ${ xx } need to be defined there. + # Tailscale Sidecar Configuration + tailscale: + image: tailscale/tailscale:latest # Image to be used + container_name: tailscale-${SERVICE} # Name for local container management + hostname: ${SERVICE} # Name used within your Tailscale environment + environment: + - TS_AUTHKEY=${TS_AUTHKEY} + - TS_STATE_DIR=/var/lib/tailscale + - TS_SERVE_CONFIG=/config/serve.json # Tailscale Serve configuration to expose the web interface on your local Tailnet - remove this line if not required + - TS_USERSPACE=false + - TS_ENABLE_HEALTH_CHECK=true # Enable healthcheck endpoint: "/healthz" + - TS_LOCAL_ADDR_PORT=127.0.0.1:41234 # The : for the healthz endpoint + #- TS_ACCEPT_DNS=true # Uncomment when using MagicDNS + - TS_AUTH_ONCE=true + configs: + - source: ts-serve + target: /config/serve.json + volumes: + - ./config:/config # Config folder used to store Tailscale files - you may need to change the path + - ./ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path + devices: + - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work + cap_add: + - net_admin # Tailscale requirement +# ports: + #- 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Binding port ${SERVICE}PORT to the local network - may be removed if only exposure to your + # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below + #dns: + # - ${DNS_SERVER} + healthcheck: + test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational + interval: 1m # How often to perform the check + timeout: 10s # Time to wait for the check to succeed + retries: 3 # Number of retries before marking as unhealthy + start_period: 10s # Time to wait before starting health checks + restart: always + + application: + image: ${IMAGE_URL} + network_mode: service:tailscale + container_name: app-${SERVICE} + environment: + - PUID=1000 + - PGID=1000 + - TZ=${TZ} + volumes: + - ./${SERVICE}-data:/srv + - ./${SERVICE}-database:/database + - ./${SERVICE}-config:/config + depends_on: + tailscale: + condition: service_healthy + healthcheck: + test: ["CMD", "pgrep", "-f", "${SERVICE}"] # Check if ${SERVICE} process is running + interval: 1m # How often to perform the check + timeout: 10s # Time to wait for the check to succeed + retries: 3 # Number of retries before marking as unhealthy + start_period: 30s # Time to wait before starting health checks + restart: always \ No newline at end of file diff --git a/services/filebrowser/images/initial-admin-password-in-logs.png b/services/filebrowser/images/initial-admin-password-in-logs.png new file mode 100644 index 0000000..bc87418 Binary files /dev/null and b/services/filebrowser/images/initial-admin-password-in-logs.png differ