From 84033b5967e4dec1cda8d23582fbc0330ae687b8 Mon Sep 17 00:00:00 2001 From: nathan Date: Sun, 12 Apr 2026 19:57:59 -0400 Subject: [PATCH] feat(trek): add Docker Compose configuration for Trek application --- nodes/heimdall/trek/compose.yaml | 63 ++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 nodes/heimdall/trek/compose.yaml diff --git a/nodes/heimdall/trek/compose.yaml b/nodes/heimdall/trek/compose.yaml new file mode 100644 index 0000000..0778240 --- /dev/null +++ b/nodes/heimdall/trek/compose.yaml @@ -0,0 +1,63 @@ +x-info: + repo: https://github.com/mauriceboe/TREK + releases: https://github.com/mauriceboe/TREK/releases + documentation: +services: + app: + image: mauriceboe/trek:v2.9.13 + container_name: trek + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + cap_add: + - CHOWN + - SETUID + - SETGID + tmpfs: + - /tmp:noexec,nosuid,size=64m + ports: + - "3000:3000" + environment: + - NODE_ENV=production + - PORT=3000 + # - ENCRYPTION_KEY=${ENCRYPTION_KEY:-} # Recommended. Generate with: openssl rand -hex 32. If unset, falls back to data/.jwt_secret (existing installs) or auto-generates a key (fresh installs). + - TZ=${TZ:-UTC} # Timezone for logs, reminders and scheduled tasks (e.g. Europe/Berlin) + - LOG_LEVEL=${LOG_LEVEL:-info} # info = concise user actions; debug = verbose admin-level details + - ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-} # Comma-separated origins for CORS and email notification links +# - FORCE_HTTPS=true # Optional. Enables HTTPS redirect, HSTS, CSP upgrade-insecure-requests, and secure cookies behind a TLS proxy +# - COOKIE_SECURE=false # Escape hatch: force session cookies over plain HTTP even in production. Not recommended. +# - TRUST_PROXY=1 # Trusted proxy count for X-Forwarded-For / X-Forwarded-Proto. Required for FORCE_HTTPS to work. +# - ALLOW_INTERNAL_NETWORK=false # Set to true if Immich or other services are hosted on your local network (RFC-1918 IPs). Loopback and link-local addresses remain blocked regardless. +# - APP_URL=https://trek.example.com # Public base URL — required when OIDC is enabled (must match the redirect URI registered with your IdP); also used as base URL for links in email notifications +# - OIDC_ISSUER=https://auth.example.com # OpenID Connect provider URL +# - OIDC_CLIENT_ID=trek # OpenID Connect client ID +# - OIDC_CLIENT_SECRET=supersecret # OpenID Connect client secret +# - OIDC_DISPLAY_NAME=SSO # Label shown on the SSO login button +# - OIDC_ONLY=false # Set true to disable local password auth entirely (SSO only) +# - OIDC_ADMIN_CLAIM=groups # OIDC claim used to identify admin users +# - OIDC_ADMIN_VALUE=app-trek-admins # Value of the OIDC claim that grants admin role +# - OIDC_SCOPE=openid email profile # Fully overrides the default. Add extra scopes as needed (e.g. add groups if using OIDC_ADMIN_CLAIM) +# - OIDC_DISCOVERY_URL= # Override the OIDC discovery endpoint for providers with non-standard paths (e.g. Authentik) +# - ADMIN_EMAIL=admin@trek.local # Initial admin e-mail — only used on first boot when no users exist +# - ADMIN_PASSWORD=changeme # Initial admin password — only used on first boot when no users exist +# - MCP_RATE_LIMIT=60 # Max MCP API requests per user per minute (default: 60) +# - MCP_MAX_SESSION_PER_USER=5 # Max concurrent MCP sessions per user (default: 5) + volumes: + - /mnt/appdata/trek/data:/app/data + - /mnt/appdata/trek/uploads:/app/uploads + restart: unless-stopped + healthcheck: + test: ["CMD", "wget", "-qO-", "http://localhost:3000/api/health"] + interval: 30s + timeout: 10s + retries: 3 + start_period: 15s + labels: + - "traefik.enable=true" + - "traefik.http.routers.trek.entrypoints=websecure" + - "traefik.http.routers.trek.rule=Host(`trek.castaldifamily.com`)" + - "traefik.http.routers.trek.tls=true" + - "traefik.http.routers.trek.tls.certresolver=cloudflare" + - "traefik.http.services.trek.loadbalancer.server.port=3000"