From 780d9a1bf9fe7ef2e9798984d66248541304cc0f Mon Sep 17 00:00:00 2001
From: admin <admin@gitea.pressmess.duckdns.org>
Date: Sun, 24 Aug 2025 18:06:41 -0400
Subject: [PATCH] Add remaining stacks: Gitea, AppFlowy+MinIO, Vaultwarden,
 AdGuard, Caddy, Ollama; add stacks/README with networks, secrets and deploy
 examples

---
 stacks/README.md            | 63 ++++++++++++++++++++++++++++++++
 stacks/ai/ollama.yml        | 32 +++++++++++++++++
 stacks/apps/adguard.yml     | 43 ++++++++++++++++++++++
 stacks/apps/appflowy.yml    | 71 +++++++++++++++++++++++++++++++++++++
 stacks/apps/gitea.yml       | 51 ++++++++++++++++++++++++++
 stacks/apps/vaultwarden.yml | 46 ++++++++++++++++++++++++
 stacks/web/caddy.yml        | 31 ++++++++++++++++
 7 files changed, 337 insertions(+)
 create mode 100644 stacks/README.md
 create mode 100644 stacks/ai/ollama.yml
 create mode 100644 stacks/apps/adguard.yml
 create mode 100644 stacks/apps/appflowy.yml
 create mode 100644 stacks/apps/gitea.yml
 create mode 100644 stacks/apps/vaultwarden.yml
 create mode 100644 stacks/web/caddy.yml

diff --git a/stacks/README.md b/stacks/README.md
new file mode 100644
index 0000000..055b0b4
--- /dev/null
+++ b/stacks/README.md
@@ -0,0 +1,63 @@
+# Stacks Overview
+
+This directory contains Docker Swarm stack files for the new architecture.
+
+## Prerequisites
+
+- Overlay networks (create once on the manager):
+  - `traefik-public`
+  - `database-network`
+  - `monitoring-network`
+
+```bash
+docker network create --driver overlay --attachable traefik-public
+docker network create --driver overlay --attachable database-network
+docker network create --driver overlay --attachable monitoring-network
+```
+
+- Docker secrets (examples):
+
+```bash
+printf 'StrongPostgresRoot' | docker secret create pg_root_password -
+printf 'StrongMariaRoot'   | docker secret create mariadb_root_password -
+printf 'gitea-db-pass'     | docker secret create gitea_db_password -
+printf 'nextcloud-pass'    | docker secret create nextcloud_db_password -
+printf 'smtp-user'         | docker secret create smtp_user -
+printf 'smtp-pass'         | docker secret create smtp_pass -
+printf 'postgres://user:pass@postgresql_primary:5432/db' | docker secret create appflowy_db_url -
+printf 'minioadmin'        | docker secret create minio_access_key -
+printf 'minioadminsecret'  | docker secret create minio_secret_key -
+```
+
+- NFS exports on `omv800.local` matching the `driver_opts` in stack volumes.
+
+## Deploy examples
+
+```bash
+docker stack deploy -c stacks/core/traefik.yml traefik
+docker stack deploy -c stacks/databases/postgresql-primary.yml postgresql
+docker stack deploy -c stacks/databases/mariadb-primary.yml mariadb
+docker stack deploy -c stacks/databases/redis-cluster.yml redis
+
+docker stack deploy -c stacks/apps/homeassistant.yml homeassistant
+docker stack deploy -c stacks/apps/immich.yml immich
+docker stack deploy -c stacks/apps/nextcloud.yml nextcloud
+docker stack deploy -c stacks/apps/paperless.yml paperless
+docker stack deploy -c stacks/apps/jellyfin.yml jellyfin
+
+docker stack deploy -c stacks/apps/gitea.yml gitea
+docker stack deploy -c stacks/apps/appflowy.yml appflowy
+docker stack deploy -c stacks/apps/vaultwarden.yml vaultwarden
+docker stack deploy -c stacks/apps/adguard.yml adguard
+
+docker stack deploy -c stacks/web/caddy.yml caddy
+docker stack deploy -c stacks/ai/ollama.yml ollama
+
+docker stack deploy -c stacks/monitoring/netdata.yml netdata
+```
+
+## Notes
+
+- Pin image versions and avoid `:latest` in production.
+- Use DNS or host pinning for stateful services.
+- Consider placement constraints (`node.labels.role`).
diff --git a/stacks/ai/ollama.yml b/stacks/ai/ollama.yml
new file mode 100644
index 0000000..5af2fe8
--- /dev/null
+++ b/stacks/ai/ollama.yml
@@ -0,0 +1,32 @@
+version: '3.9'
+
+services:
+  ollama:
+    image: ollama/ollama:0.1.46
+    ports:
+      - target: 11434
+        published: 11434
+        mode: host
+    volumes:
+      - ollama_models:/root/.ollama
+    networks:
+      - traefik-public
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.ollama.rule=Host(`ollama.localhost`)
+        - traefik.http.routers.ollama.entrypoints=websecure
+        - traefik.http.routers.ollama.tls=true
+        - traefik.http.services.ollama.loadbalancer.server.port=11434
+
+volumes:
+  ollama_models:
+    driver: local
+    driver_opts:
+      type: nfs
+      o: addr=omv800.local,nolock,soft,rw
+      device: :/export/ollama/models
+
+networks:
+  traefik-public:
+    external: true
diff --git a/stacks/apps/adguard.yml b/stacks/apps/adguard.yml
new file mode 100644
index 0000000..91914a8
--- /dev/null
+++ b/stacks/apps/adguard.yml
@@ -0,0 +1,43 @@
+version: '3.9'
+
+services:
+  adguard:
+    image: adguard/adguardhome:v0.107.51
+    volumes:
+      - adguard_conf:/opt/adguardhome/conf
+      - adguard_work:/opt/adguardhome/work
+    ports:
+      - target: 53
+        published: 53
+        protocol: tcp
+        mode: host
+      - target: 53
+        published: 53
+        protocol: udp
+        mode: host
+      - target: 3000
+        published: 3000
+        mode: host
+    networks:
+      - traefik-public
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.adguard.rule=Host(`adguard.localhost`)
+        - traefik.http.routers.adguard.entrypoints=websecure
+        - traefik.http.routers.adguard.tls=true
+        - traefik.http.services.adguard.loadbalancer.server.port=3000
+
+volumes:
+  adguard_conf:
+    driver: local
+    driver_opts:
+      type: nfs
+      o: addr=omv800.local,nolock,soft,rw
+      device: :/export/adguard/conf
+  adguard_work:
+    driver: local
+
+networks:
+  traefik-public:
+    external: true
diff --git a/stacks/apps/appflowy.yml b/stacks/apps/appflowy.yml
new file mode 100644
index 0000000..49868df
--- /dev/null
+++ b/stacks/apps/appflowy.yml
@@ -0,0 +1,71 @@
+version: '3.9'
+
+services:
+  appflowy:
+    image: ghcr.io/appflowy-io/appflowy-cloud:0.3.5
+    environment:
+      DATABASE_URL_FILE: /run/secrets/appflowy_db_url
+      REDIS_URL: redis://redis_master:6379
+      STORAGE_ENDPOINT: http://minio:9000
+      STORAGE_BUCKET: appflowy
+      STORAGE_ACCESS_KEY_FILE: /run/secrets/minio_access_key
+      STORAGE_SECRET_KEY_FILE: /run/secrets/minio_secret_key
+    secrets:
+      - appflowy_db_url
+      - minio_access_key
+      - minio_secret_key
+    networks:
+      - traefik-public
+      - database-network
+    depends_on:
+      - minio
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.appflowy.rule=Host(`appflowy.localhost`)
+        - traefik.http.routers.appflowy.entrypoints=websecure
+        - traefik.http.routers.appflowy.tls=true
+        - traefik.http.services.appflowy.loadbalancer.server.port=8000
+
+  minio:
+    image: quay.io/minio/minio:RELEASE.2024-05-10T01-41-38Z
+    command: server /data --console-address ":9001"
+    environment:
+      MINIO_ROOT_USER_FILE: /run/secrets/minio_access_key
+      MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_secret_key
+    secrets:
+      - minio_access_key
+      - minio_secret_key
+    volumes:
+      - appflowy_minio:/data
+    networks:
+      - traefik-public
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.minio.rule=Host(`minio.localhost`)
+        - traefik.http.routers.minio.entrypoints=websecure
+        - traefik.http.routers.minio.tls=true
+        - traefik.http.services.minio.loadbalancer.server.port=9001
+
+volumes:
+  appflowy_minio:
+    driver: local
+    driver_opts:
+      type: nfs
+      o: addr=omv800.local,nolock,soft,rw
+      device: :/export/appflowy/minio
+
+secrets:
+  appflowy_db_url:
+    external: true
+  minio_access_key:
+    external: true
+  minio_secret_key:
+    external: true
+
+networks:
+  traefik-public:
+    external: true
+  database-network:
+    external: true
diff --git a/stacks/apps/gitea.yml b/stacks/apps/gitea.yml
new file mode 100644
index 0000000..b091879
--- /dev/null
+++ b/stacks/apps/gitea.yml
@@ -0,0 +1,51 @@
+version: '3.9'
+
+services:
+  gitea:
+    image: gitea/gitea:1.21.11
+    environment:
+      - GITEA__database__DB_TYPE=mysql
+      - GITEA__database__HOST=mariadb_primary:3306
+      - GITEA__database__NAME=gitea
+      - GITEA__database__USER=gitea
+      - GITEA__database__PASSWD__FILE=/run/secrets/gitea_db_password
+      - GITEA__server__ROOT_URL=https://gitea.localhost/
+      - GITEA__server__SSH_DOMAIN=gitea.localhost
+      - GITEA__server__SSH_PORT=2222
+      - GITEA__service__DISABLE_REGISTRATION=true
+    secrets:
+      - gitea_db_password
+    volumes:
+      - gitea_data:/data
+    networks:
+      - traefik-public
+      - database-network
+    ports:
+      - target: 22
+        published: 2222
+        mode: host
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.gitea.rule=Host(`gitea.localhost`)
+        - traefik.http.routers.gitea.entrypoints=websecure
+        - traefik.http.routers.gitea.tls=true
+        - traefik.http.services.gitea.loadbalancer.server.port=3000
+
+volumes:
+  gitea_data:
+    driver: local
+    driver_opts:
+      type: nfs
+      o: addr=omv800.local,nolock,soft,rw
+      device: :/export/gitea/data
+
+secrets:
+  gitea_db_password:
+    external: true
+
+networks:
+  traefik-public:
+    external: true
+  database-network:
+    external: true
diff --git a/stacks/apps/vaultwarden.yml b/stacks/apps/vaultwarden.yml
new file mode 100644
index 0000000..6adb92a
--- /dev/null
+++ b/stacks/apps/vaultwarden.yml
@@ -0,0 +1,46 @@
+version: '3.9'
+
+services:
+  vaultwarden:
+    image: vaultwarden/server:1.30.5
+    environment:
+      DOMAIN: https://vaultwarden.localhost
+      SIGNUPS_ALLOWED: 'false'
+      SMTP_HOST: smtp
+      SMTP_FROM: noreply@local
+      SMTP_PORT: 587
+      SMTP_SECURITY: starttls
+      SMTP_USERNAME_FILE: /run/secrets/smtp_user
+      SMTP_PASSWORD_FILE: /run/secrets/smtp_pass
+    secrets:
+      - smtp_user
+      - smtp_pass
+    volumes:
+      - vw_data:/data
+    networks:
+      - traefik-public
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.vw.rule=Host(`vaultwarden.localhost`)
+        - traefik.http.routers.vw.entrypoints=websecure
+        - traefik.http.routers.vw.tls=true
+        - traefik.http.services.vw.loadbalancer.server.port=80
+
+volumes:
+  vw_data:
+    driver: local
+    driver_opts:
+      type: nfs
+      o: addr=omv800.local,nolock,soft,rw
+      device: :/export/vaultwarden/data
+
+secrets:
+  smtp_user:
+    external: true
+  smtp_pass:
+    external: true
+
+networks:
+  traefik-public:
+    external: true
diff --git a/stacks/web/caddy.yml b/stacks/web/caddy.yml
new file mode 100644
index 0000000..c599a38
--- /dev/null
+++ b/stacks/web/caddy.yml
@@ -0,0 +1,31 @@
+version: '3.9'
+
+services:
+  caddy:
+    image: caddy:2.7.6
+    volumes:
+      - caddy_config:/etc/caddy
+      - caddy_data:/data
+    networks:
+      - traefik-public
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.caddy.rule=Host(`caddy.localhost`)
+        - traefik.http.routers.caddy.entrypoints=websecure
+        - traefik.http.routers.caddy.tls=true
+        - traefik.http.services.caddy.loadbalancer.server.port=80
+
+volumes:
+  caddy_config:
+    driver: local
+    driver_opts:
+      type: nfs
+      o: addr=omv800.local,nolock,soft,rw
+      device: :/export/caddy/config
+  caddy_data:
+    driver: local
+
+networks:
+  traefik-public:
+    external: true