Merge pull request 'feat(Vaultwarden): Add new org groups feature' (#84) from vaultwarden into main

## Détails

- Ajout de la [fonctionnalité de groupes dans les organisations](https://bitwarden.com/help/about-groups/)
- C'est une fonctionnalité que [Vaultwarden présente comme beta](90f7e5ff80/.env.template (L443-L448))

Reviewed-on: #84

README.md

@@ -11,6 +11,7 @@ Vous trouverez dans ce dépôt l'ensemble des services Open Source que RésiLien
 - [listmonk](./listmonk) : Gestionnaire de listes de diffusion et de newsletter
 - [Mobilizon](./mobilizon): Permet l'organisation d'évènements et de gestion de groupes
 - [Nextcloud](./nextcloud) : Site d'hébergement de fichiers et une plateforme de collaboration
+- [signaturepdf](./signaturepdf) : Logiciel WEB libre permettant de modifier un fichier PDF facilement
 - [Plausible](./plausible) : Plausible est une plateforme d'analyse Web légère et open source
 - [Vaultwarden](./vaultwarden) : Gestionnaire de mot de passe compatible avec Bitwarden
 - [Vikunja](./vikunja) : L'application pour organiser sa vie
@@ -22,6 +23,7 @@ Vous trouverez dans ce dépôt l'ensemble des services Open Source que RésiLien
 - [GeoIP Update](./geoipupdate) : Permet de télécharger la base de données GeoIP2 permettant de localiser les IPs
 - [Gitea](./gitea) : Un service Git très simple à installer et à utiliser. Il est similaire à GitHub, Bitbucket ou Gitlab.
 - [Grafana](./grafana) : Un outil de supervision simple et élégant
+- [LLDAP](./lldap): Implémentation légère de LDAP pour l'authentification
 - [PostgreSQL](./postgres) : PostgreSQL est un système de gestion de base de données relationnelle et objet.
 - [Prometheus](./prometheus) : Un logiciel de surveillance informatique
 - [Redis](./redis) : Système de gestion de base de données clé-valeur extensible, très hautes performances

clickhouse/docker-compose.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 volumes:
   clickhouse:

directus/README.md

@@ -6,6 +6,8 @@
 
 [De nombreuses variables d'environnement][documentation] peuvent être précisé pour configurer Directus.
 
+- `CORS_ORIGIN` à comme valeur par défaut `false` et peut prendre `true` pour accepter toutes les connexions, mais il est préférable de spécifier directement les sites comme ceci `array:https://example.com,https://staging.example.com`.
+
 ## Liens
 
 - [Site officiel][website]

directus/docker-compose.redis.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 services:
   directus:
     environment:

directus/docker-compose.smtp.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 services:
   directus:
     environment:

directus/docker-compose.traefik.yml

@@ -1,10 +1,9 @@
 ---
 
-version: "3.8"
-
 networks:
   default:
     name: ${TRAEFIK_NETWORK_NAME:-traefik}
+    external: true
 
 services:
   directus:

directus/docker-compose.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 volumes:
   directus:
     name: ${DIRECTUS_VOLUME_NAME:-directus}
@@ -24,6 +22,8 @@ services:
       ADMIN_EMAIL: ${DIRECTUS_ADMIN_EMAIL:?err}
       ADMIN_PASSWORD: ${DIRECTUS_ADMIN_PASSWORD:?err}
       PUBLIC_URL: ${DIRECTUS_PUBLIC_URL:?err}
+      CORS_ENABLED: ${DIRECTUS_CORS_ENABLED:-false}
+      CORS_ORIGIN: ${DIRECTUS_CORS_ORIGIN:-false}
 
       DB_CLIENT: 'pg'
       DB_HOST: ${POSTGRES_CONTAINER_NAME:-postgres} # Default name is same as ../postgres/docker-compose.yml:8

drone/runner/docker-compose.dashboard.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 # https://docs.drone.io/runner/docker/configuration/dashboard/
 
 services:

drone/runner/docker-compose.local.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 services:
   drone-runner:
     ports:

drone/runner/docker-compose.logging.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 # https://docs.drone.io/runner/docker/configuration/logging/
 
 services:

drone/runner/docker-compose.traefik.yml

@@ -1,10 +1,9 @@
 ---
 
-version: "3.8"
-
 networks:
   default:
     name: ${TRAEFIK_NETWORK_NAME}
+    external: true
 
 services:
   drone-runner:

drone/runner/docker-compose.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 # https://docs.drone.io/runner/docker/installation/linux/
 
 services:

drone/server/README.md

@@ -33,9 +33,10 @@ Il faut ajouter les utilisateurs non admin :
 ```
 drone user add kosssi
 drone user add killian
+export PROMETHEUS_TOKEN=`openssl rand -hex 16`
 drone user add prometheus --machine --token=${PROMETHEUS_TOKEN}
 ```
 
 En n'oubliant pas au moment de l'installation d'identifier précisément les utilisateurs ayant le droit d'exécuter Drone avec la variable `DRONE_USER_FILTER=kosssi,killian,prometheus,${DRONE_ADMIN_USER}`
 
-[Documentation officielle](https://docs.drone.io/cli/user/drone-user-add/)
+[Documentation officielle](https://docs.drone.io/server/user/machine/#create-accounts) [cli](https://docs.drone.io/cli/user/drone-user-add/)

drone/server/docker-compose.cookie.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 # https://docs.drone.io/server/cookie/
 
 services:

drone/server/docker-compose.gitea.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 # https://docs.drone.io/server/provider/gitea/
 
 services:

drone/server/docker-compose.header.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 # https://docs.drone.io/server/headers/
 
 services:

drone/server/docker-compose.local.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 services:
   drone-server:
     ports:

drone/server/docker-compose.logging.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 # https://docs.drone.io/server/logging/
 
 services:

drone/server/docker-compose.postgres.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 # https://docs.drone.io/server/storage/database/
 # https://docs.drone.io/server/storage/encryption/
 

drone/server/docker-compose.traefik.yml

@@ -1,10 +1,9 @@
 ---
 
-version: "3.8"
-
 networks:
   default:
     name: ${TRAEFIK_NETWORK_NAME}
+    external: true
 
 services:
   drone-server:

drone/server/docker-compose.user.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 # https://docs.drone.io/server/user/registration/
 
 services:

drone/server/docker-compose.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 volumes:
   drone-server:
     name: ${DRONE_SERVER_VOLUME_NAME:-drone-server}

geoip/docker-compose.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 volumes:
   geoip:
     name: ${GEOIP_VOLUME_NAME:-geoip}

geoipupdate/docker-compose.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 volumes:
   geoipupdate:
     name: ${GEOIPUPDATE_VOLUME_NAME:-geoipupdate}

gitea/docker-compose.metrics.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 services:
   gitea:

gitea/docker-compose.override.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 services:
   gitea:

gitea/docker-compose.postgres.yml

@@ -0,0 +1,12 @@
+---
+
+services:
+  gitea:
+    environment:
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=${POSTGRES_CONTAINER_NAME:-postgres}:5432
+      - GITEA__database__NAME=${POSTGRES_DB}
+      - GITEA__database__USER=${POSTGRES_USER}
+      - GITEA__database__PASSWD=${POSTGRES_PASSWORD}
+    depends_on:
+      - postgres

gitea/docker-compose.smtp.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 services:
   gitea:

gitea/docker-compose.traefik.yml

@@ -1,8 +1,9 @@
-version: "3.8"
+---
 
 networks:
   default:
     name: ${TRAEFIK_NETWORK_NAME:-traefik}
+    external: true
 
 services:
   gitea:

gitea/docker-compose.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 volumes:
   gitea:
@@ -7,17 +7,11 @@ volumes:
 services:
   gitea:
     container_name: ${GITEA_CONTAINER_NAME:-gitea}
-    image: ${GITEA_IMAGE:-gitea/gitea:1.18.4}
+    image: ${GITEA_IMAGE:-gitea/gitea:1.20.4}
     restart: always
     environment:
       - USER_UID=${GITEA_UID:-1000}
       - USER_GID=${GITEA_GID:-1000}
-      # Database
-      - GITEA__database__DB_TYPE=postgres
-      - GITEA__database__HOST=${POSTGRES_CONTAINER_NAME:-postgres}:5432
-      - GITEA__database__NAME=${POSTGRES_DB}
-      - GITEA__database__USER=${POSTGRES_USER}
-      - GITEA__database__PASSWD=${POSTGRES_PASSWORD}
       # Security
       # docker run -it --rm gitea/gitea:1 gitea generate secret SECRET_KEY
       - GITEA__security__SECRET_KEY=${GITEA_SECRET_KEY}
@@ -27,5 +21,3 @@ services:
       - gitea:/data
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
-    depends_on:
-      - postgres

grafana/docker-compose.postgres.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 services:
   grafana:

grafana/docker-compose.redis.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 services:
   grafana:

grafana/docker-compose.smtp.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 services:
   grafana:

grafana/docker-compose.traefik.yml

@@ -1,8 +1,9 @@
-version: "3.8"
+---
 
 networks:
   default:
     name: ${TRAEFIK_NETWORK_NAME:-traefik}
+    external: true
 
 services:
   grafana:

grafana/docker-compose.yml

@@ -1,5 +1,4 @@
 ---
-version: "3.8"
 
 volumes:
   grafana:

hedgedoc/docker-compose.traefik.yml

@@ -1,8 +1,9 @@
-version: "3.8"
+---
 
 networks:
   default:
     name: ${TRAEFIK_NETWORK_NAME:-traefik}
+    external: true
 
 services:
   hedgedoc:

hedgedoc/docker-compose.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 volumes:
   hedgedoc:

listmonk/docker-compose.yml

@@ -1,8 +1,9 @@
-version: "3.8"
+---
 
 networks:
   default:
     name: ${TRAEFIK_NETWORK_NAME:-traefik}
+    external: true
 
 volumes:
   listmonk:

lldap/.env

@@ -0,0 +1,50 @@
+########
+# DOCKER
+
+SERVICES_DIR=..
+COMPOSE_FILE=${SERVICES_DIR}/lldap/docker-compose.yml:${SERVICES_DIR}/lldap/docker-compose.local.yml:${SERVICES_DIR}/postgres/docker-compose.yml
+#COMPOSE_PROJECT_NAME=
+
+#######
+# LLDAP
+
+SERVICE_DOMAIN=lldap.cool.life
+LLDAP_VOLUME_NAME=lldap_cool_life
+LLDAP_CONTAINER_NAME=lldap_cool_life
+LLDAP_IMAGE=nitnelave/lldap:v0.4.3
+
+LLDAP_JWT_SECRET="6IeP8UUbEkQXrkUNbnu1sGpcZOu29wUTWh3uiEgMorI="
+LLDAP_VERBOSE=true
+
+LLDAP_LDAP_BASE_DN="dc=cool,dc=life"
+LLDAP_LDAP_USER_DN="myuser"
+LLDAP_LDAP_USER_EMAIL="admin@cool.life"
+LLDAP_LDAP_USER_PASS="mon-mot-de-passe"
+
+# LLDAP_TEST_EMAIL_TO=
+# LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET=
+# LLDAP_SMTP_OPTIONS__SERVER=
+# LLDAP_SMTP_OPTIONS__PORT=
+# LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=
+# LLDAP_SMTP_OPTIONS__USER=
+# LLDAP_SMTP_OPTIONS__PASSWORD=
+# LLDAP_SMTP_OPTIONS__FROM=
+# LLDAP_SMTP_OPTIONS__REPLY_TO=
+
+
+##########
+# POSTGRES
+
+POSTGRES_USER=user-example
+POSTGRES_PASSWORD=password-example
+POSTGRES_DB=postgres-database-name-example
+POSTGRES_CONTAINER_NAME=lldap-postgres
+POSTGRES_VOLUME_NAME=lldap-postgres
+#POSTGRES_IMAGE=
+
+#########
+# TRAEFIK
+
+#TRAEFIK_NETWORK_NAME=
+#TRAEFIK_ROUTER_NAME=                                       # Don't use char '.'
+#TRAEFIK_ENTRYPOINTS=

lldap/README.md

@@ -0,0 +1,27 @@
+# LLDAP
+
+> Implémentation légère de LDAP pour l'authentification :
+> Ce projet est un serveur d'authentification léger (écrit en rust) qui fournit une interface LDAP simplifiée pour l'authentification. Il s'intègre avec de nombreux backends, de KeyCloak à [Authelia](https://github.com/lldap/lldap/blob/main/example_configs/authelia_config.yml) en passant par Nextcloud et plus encore !
+
+## Documentation
+
+- Le fichier [`lldap_config.docker_template.toml`](https://github.com/lldap/lldap/blob/main/lldap_config.docker_template.toml) contient toute la configuration possible de l'outil.
+- De base le projet utilise SQLite, mais on peut utiliser Postgres voir le fichier [`docker-compose.postgres.yml`](./docker-compose.postgres.yml)
+- Le projet n'est pas [traduit](https://github.com/lldap/lldap/issues/20) actuellement
+- Lors du lancement du service une clé est généré aléatoirement dans le fichier `private_key` du dossier `/data` du container, ce fichier est important il faut donc le sauvegarder puisque les mots de passe sont chiffrés en base avec.
+
+## Configuration
+
+La configuration a été séparée en 5 fichiers :
+
+- [`docker-compose.yml`](./docker-compose.yml) contient la configuration de base
+- [`docker-compose.local.yml`](./docker-compose.local.yml) permettant de tester le service sans Traefik
+- [`docker-compose.smtp.yml`](./docker-compose.smtp.yml) correspondant à la configuration du service SMTP
+- [`docker-compose.postgres.yml`](./docker-compose.postgres.yml) pour configurer le service Postgres
+- [`docker-compose.traefik.yml`](./docker-compose.traefik.yml) pour configurer automatiquement Traefik
+
+## Liens
+
+- [Code source](https://github.com/lldap/lldap)
+- [Docker Hub](https://hub.docker.com/r/nitnelave/lldap)
+- [Documentation](https://github.com/lldap/lldap/blob/main/lldap_config.docker_template.toml)

lldap/docker-compose.local.yml

@@ -0,0 +1,11 @@
+---
+
+services:
+  lldap:
+    ports:
+      # For LDAP
+      - "3890:3890"
+      # For LDAPS (LDAP Over SSL), enable port if LLDAP_LDAPS_OPTIONS__ENABLED set true, look env below
+      - "6360:6360"
+      # For the web front-end
+      - "17170:17170"

lldap/docker-compose.postgres.yml

@@ -0,0 +1,6 @@
+---
+
+services:
+  lldap:
+    environment:
+      - LLDAP_DATABASE_URL=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_CONTAINER_NAME}/${POSTGRES_DB}

lldap/docker-compose.smtp.yml

@@ -0,0 +1,14 @@
+---
+
+services:
+  lldap:
+    environment:
+      - LLDAP_TEST_EMAIL_TO=${LLDAP_TEST_EMAIL_TO}
+      - LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET=${LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET}
+      - LLDAP_SMTP_OPTIONS__SERVER=${LLDAP_SMTP_OPTIONS__SERVER}
+      - LLDAP_SMTP_OPTIONS__PORT=${LLDAP_SMTP_OPTIONS__PORT}
+      - LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=${LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION}
+      - LLDAP_SMTP_OPTIONS__USER=${LLDAP_SMTP_OPTIONS__USER}
+      - LLDAP_SMTP_OPTIONS__PASSWORD=${LLDAP_SMTP_OPTIONS__PASSWORD}
+      - LLDAP_SMTP_OPTIONS__FROM=${LLDAP_SMTP_OPTIONS__FROM}
+      - LLDAP_SMTP_OPTIONS__REPLY_TO=${LLDAP_SMTP_OPTIONS__REPLY_TO}

lldap/docker-compose.traefik.yml

@@ -0,0 +1,22 @@
+---
+
+networks:
+  default:
+    name: ${TRAEFIK_NETWORK_NAME:-traefik}
+    external: true
+
+services:
+  lldap:
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=${TRAEFIK_NETWORK_NAME:-traefik}
+      - traefik.http.routers.${TRAEFIK_ROUTER_NAME:-lldap}.rule=Host(`${SERVICE_DOMAIN:?err}`)
+      - traefik.http.routers.${TRAEFIK_ROUTER_NAME:-lldap}.entrypoints=${TRAEFIK_ENTRYPOINTS:-web}
+      # - traefik.http.routers.${TRAEFIK_ROUTER_NAME:-lldap}.tls.certResolver=letsencrypt
+      - traefik.http.services.${TRAEFIK_ROUTER_NAME:-lldap}.loadbalancer.server.port=17170
+      - traefik.http.services.${TRAEFIK_ROUTER_NAME:-lldap}.loadbalancer.server.scheme=http
+
+      # https://github.com/lldap/lldap/issues/247#issuecomment-1489962511
+      # - traefik.tcp.routers.${TRAEFIK_ROUTER_NAME:-lldap}.rule=HostSNI(`${SERVICE_DOMAIN:?err}`)
+      # - traefik.tcp.routers.${TRAEFIK_ROUTER_NAME:-lldap}.entrypoints=${TRAEFIK_ENTRYPOINTS:-web}
+      # - traefik.tcp.services.${TRAEFIK_ROUTER_NAME:-lldap}.loadbalancer.server.port=3890

lldap/docker-compose.yml

@@ -0,0 +1,24 @@
+---
+
+volumes:
+  lldap:
+    name: ${LLDAP_VOLUME_NAME:-lldap}
+
+services:
+  lldap:
+    container_name: ${LLDAP_CONTAINER_NAME:-lldap}
+    image: ${LLDAP_IMAGE:-nitnelave/lldap:v0.4.3}
+    restart: always
+    volumes:
+      - "lldap:/data"
+    environment:
+      - TZ=${TIMEZONE:-Europe/Paris}
+      - LLDAP_VERBOSE=${LLDAP_VERBOSE:-false}
+
+      - LLDAP_JWT_SECRET=${LLDAP_JWT_SECRET:?err}
+      - LLDAP_HTTP_URL=https://${SERVICE_DOMAIN:?err}
+
+      - LLDAP_LDAP_BASE_DN=${LLDAP_LDAP_BASE_DN:?err}
+      - LLDAP_LDAP_USER_DN=${LLDAP_LDAP_USER_DN:?err}
+      - LLDAP_LDAP_USER_EMAIL=${LLDAP_LDAP_USER_EMAIL:?err}
+      - LLDAP_LDAP_USER_PASS=${LLDAP_LDAP_USER_PASS:?err}

mobilizon/docker-compose.local.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 services:
   mobilizon:
     ports:

mobilizon/docker-compose.traefik.yml

@@ -1,10 +1,9 @@
 ---
 
-version: "3.8"
-
 networks:
   default:
     name: ${TRAEFIK_NETWORK_NAME:-traefik}
+    external: true
 
 services:
   mobilizon:

mobilizon/docker-compose.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 volumes:
   mobilizon:
     name: ${MOBILIZON_VOLUME_NAME:-mobilizon}

nextcloud/docker-compose.config.yml

@@ -1,5 +1,4 @@
 ---
-version: "3.8"
 
 services:
   nextcloud-fpm:

nextcloud/docker-compose.local.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 services:
   nextcloud-web:

nextcloud/docker-compose.postgres.yml

@@ -0,0 +1,16 @@
+---
+
+services:
+  nextcloud-fpm:
+    depends_on:
+      - postgres
+    environment:
+      &postgres-configuration
+      POSTGRES_HOST: ${POSTGRES_CONTAINER_NAME:-postgres} # Default name is same as ../postgres/docker-compose.yml:8
+      POSTGRES_USER: ${POSTGRES_USER:?err}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?err}
+      POSTGRES_DB: ${POSTGRES_DB:?err}
+
+  nextcloud-cron:
+    environment:
+      <<: *postgres-configuration

nextcloud/docker-compose.redis.yml

@@ -0,0 +1,13 @@
+---
+
+services:
+  nextcloud-fpm:
+    depends_on:
+      - redis
+    environment:
+      &redis-configuration
+      REDIS_HOST: ${REDIS_CONTAINER_NAME:-redis} # Default name is same as ../redis/docker-compose.yml:4
+
+  nextcloud-cron:
+    environment:
+      <<: *redis-configuration

nextcloud/docker-compose.smtp.yml

@@ -1,17 +1,17 @@
-version: "3.8"
+---
 
 services:
   nextcloud-fpm:
     environment:
       &smtp-configuration
-      NC_mail_smtphost: ${NC_mail_smtphost:?err} # The hostname of the SMTP server.
+      SMTP_HOST: ${SMTP_HOST:?err}
-      NC_mail_smtpsecure: ${NC_mail_smtpsecure:-ssl} # Set to ssl to use SSL, or tls to use STARTTLS.
+      SMTP_SECURE: ${SMTP_SECURE:-}
-      NC_mail_smtpport: ${NC_mail_smtpport:-465}
+      SMTP_PORT: ${SMTP_PORT:-587}
-      NC_mail_smtpauthtype: ${NC_mail_smtpauthtype:-LOGIN}
+      SMTP_AUTHTYPE: ${SMTP_AUTHTYPE:-LOGIN}
-      NC_mail_smtpname: ${NC_mail_smtpname:?err}
+      SMTP_NAME: ${SMTP_NAME:?err}
-      NC_mail_smtppassword: ${NC_mail_smtppassword:?err}
+      SMTP_PASSWORD: ${SMTP_PASSWORD:?err}
-      NC_mail_from_address: ${NC_mail_from_address:?err}
+      MAIL_FROM_ADDRESS: ${MAIL_FROM_ADDRESS:?err}
-      NC_mail_domain: ${NC_mail_domain:?err}
+      MAIL_DOMAIN: ${MAIL_DOMAIN:?err}
 
   nextcloud-cron:
     environment:

nextcloud/docker-compose.traefik.yml

@@ -1,13 +1,15 @@
-version: "3.8"
+---
 
 networks:
   default:
     name: ${TRAEFIK_NETWORK_NAME:-traefik}
+    external: true
 
 services:
-  nextcloud-web:
+  nextcloud-fpm:
     environment:
       TRUSTED_PROXIES: ${TRAEFIK_NETWORK_NAME:-traefik}
+  nextcloud-web:
     labels:
       - traefik.enable=true
       - traefik.docker.network=${TRAEFIK_NETWORK_NAME:-traefik}

nextcloud/docker-compose.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 volumes:
   nextcloud:
@@ -9,9 +9,6 @@ services:
     container_name: ${NEXTCLOUD_CONTAINER_NAME:-nextcloud}-fpm
     image: ${NEXTCLOUD_IMAGE:-nextcloud:25.0.2-fpm-alpine}
     restart: always
-    depends_on:
-      - postgres
-      - redis
     volumes:
       - nextcloud:/var/www/html
       - /etc/timezone:/etc/timezone:ro
@@ -23,11 +20,6 @@ services:
       NEXTCLOUD_ADMIN_PASSWORD: ${NEXTCLOUD_ADMIN_PASSWORD?err}
       OVERWRITEPROTOCOL: ${OVERWRITEPROTOCOL:-https}
       PHP_UPLOAD_LIMIT: ${PHP_UPLOAD_LIMIT:-512M}
-      POSTGRES_HOST: ${POSTGRES_CONTAINER_NAME:-postgres} # Default name is same as ../postgres/docker-compose.yml:8
-      POSTGRES_USER: ${POSTGRES_USER:?err}
-      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?err}
-      POSTGRES_DB: ${POSTGRES_DB:?err}
-      REDIS_HOST: ${REDIS_CONTAINER_NAME:-redis} # Default name is same as ../redis/docker-compose.yml:4
       PUID: ${NEXTCLOUD_PUID:-1000}
       PGID: ${NEXTCLOUD_PGID:-1000}
 

nextcloud/web/Dockerfile

@@ -1,3 +1,3 @@
-FROM nginx:1.23.3-alpine
+FROM nginx:1.25.3-alpine
 
 COPY nextcloud.conf.template /etc/nginx/templates/default.conf.template

nextcloud/web/nextcloud.conf.template

@@ -2,64 +2,32 @@ upstream php-handler {
     server ${NEXTCLOUD_FPM_CONTAINER_NAME}:9000;
 }
 
+# Set the `immutable` cache control options only for assets with a cache busting `v` argument
+map $arg_v $asset_immutable {
+    "" "";
+    default "immutable";
+}
+
 server {
     listen 80;
 
-    # Add headers to serve security related headers
+    # Path to the root of your installation
-    # Before enabling Strict-Transport-Security headers please read into this
+    root /var/www/html;
-    # topic first.
+
-    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+    # Prevent nginx HTTP Server Detection
-    #
+    server_tokens off;
+
+    # HSTS settings
     # WARNING: Only add the preload option once you read about
     # the consequences in https://hstspreload.org/. This option
     # will add the domain to a hardcoded list that is shipped
     # in all major browsers and getting removed from this list
     # could take several months.
-    add_header Referrer-Policy "no-referrer" always;
+    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-Download-Options "noopen" always;
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Permitted-Cross-Domain-Policies "none" always;
-    add_header X-Robots-Tag "none" always;
-    add_header X-XSS-Protection "1; mode=block" always;
 
-    # Remove X-Powered-By, which is an information leak
+    # set max upload size and increase upload timeout:
-    fastcgi_hide_header X-Powered-By;
-
-    # Path to the root of your installation
-    root /var/www/html;
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
-    # The following 2 rules are only needed for the user_webfinger app.
-    # Uncomment it if you're planning to use this app.
-    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-
-    # The following rule is only needed for the Social app.
-    # Uncomment it if you're planning to use this app.
-    #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
-
-    location = /.well-known/carddav {
-        return 301 $scheme://$host:$server_port/remote.php/dav;
-    }
-
-    location = /.well-known/caldav {
-        return 301 $scheme://$host:$server_port/remote.php/dav;
-    }
-
-    # location /nginx_status {
-    #     stub_status;
-    #     allow 192.168.1.0/24;	#only allow requests from local network
-    #     deny all;		#deny all other hosts
-    # }
-
-    # set max upload size
     client_max_body_size 10G;
+    client_body_timeout 300s;
     fastcgi_buffers 64 4K;
 
     # Enable gzip but do not remove ETag headers
@@ -68,78 +36,137 @@ server {
     gzip_comp_level 4;
     gzip_min_length 256;
     gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+    gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
-    # Uncomment if your server is build with the ngx_pagespeed module
+    # Pagespeed is not supported by Nextcloud, so if your server is built
-    # This module is currently not supported.
+    # with the `ngx_pagespeed` module, uncomment this line to disable it.
     #pagespeed off;
 
-    location / {
+    # The settings allows you to optimize the HTTP2 bandwidth.
-        rewrite ^ /index.php;
+    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+    # for tuning hints
+    client_body_buffer_size 512k;
+
+    # HTTP response headers borrowed from Nextcloud `.htaccess`
+    add_header Referrer-Policy                   "no-referrer"       always;
+    add_header X-Content-Type-Options            "nosniff"           always;
+    add_header X-Download-Options "noopen" always;
+    add_header X-Frame-Options                   "SAMEORIGIN"        always;
+    add_header X-Permitted-Cross-Domain-Policies "none"              always;
+    add_header X-Robots-Tag                      "noindex, nofollow" always;
+    add_header X-XSS-Protection                  "1; mode=block"     always;
+
+    # Remove X-Powered-By, which is an information leak
+    fastcgi_hide_header X-Powered-By;
+
+    # Add .mjs as a file extension for javascript
+    # Either include it in the default mime.types list
+    # or include you can include that list explicitly and add the file extension
+    # only for Nextcloud like below:
+    include mime.types;
+    types {
+        text/javascript js mjs;
     }
 
-    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
+    # Specify how to handle directories -- specifying `/index.php$request_uri`
-        deny all;
+    # here as the fallback means that Nginx always exhibits the desired behaviour
-    }
+    # when a client requests a path that corresponds to a directory that exists
-    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
+    # on the server. In particular, if that directory contains an index.php file,
-        deny all;
+    # that file is correctly served; if it doesn't, then the request is passed to
+    # the front-end controller. This consistent behaviour means that we don't need
+    # to specify custom rules for certain paths (e.g. images and other assets,
+    # `/updater`, `/ocs-provider`), and thus
+    # `try_files $uri $uri/ /index.php$request_uri`
+    # always provides the desired behaviour.
+    index index.php index.html /index.php$request_uri;
+
+    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+    location = / {
+        if ( $http_user_agent ~ ^DavClnt ) {
+            return 302 /remote.php/webdav/$is_args$args;
+        }
     }
 
-    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+    location = /robots.txt {
-        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    # Make a regex exception for `/.well-known` so that clients can still
+    # access it despite the existence of the regex rule
+    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+    # for `/.well-known`.
+    location ^~ /.well-known {
+        # The rules in this block are an adaptation of the rules
+        # in `.htaccess` that concern `/.well-known`.
+
+        location = /.well-known/carddav { return 301 /remote.php/dav/; }
+        location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+        # Let Nextcloud's API for `/.well-known` URIs handle all other
+        # requests by passing them to the front-end controller.
+        return 301 /index.php$request_uri;
+    }
+
+    # Rules borrowed from `.htaccess` to hide certain paths from clients
+    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+    # which handle static assets (as seen below). If this block is not declared first,
+    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+    # to the URI, resulting in a HTTP 500 error response.
+    location ~ \.php(?:$|/) {
+        # Required for legacy support
+        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
         set $path_info $fastcgi_path_info;
+
         try_files $fastcgi_script_name =404;
+
         include fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_param PATH_INFO $path_info;
-        # fastcgi_param HTTPS on;
+        fastcgi_param HTTPS on;
 
-        # Avoid sending the security headers twice
+        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
-        fastcgi_param modHeadersAvailable true;
+        fastcgi_param front_controller_active true;     # Enable pretty urls
-
-        # Enable pretty urls
-        fastcgi_param front_controller_active true;
         fastcgi_pass php-handler;
+
         fastcgi_intercept_errors on;
         fastcgi_request_buffering off;
+
+        fastcgi_max_temp_file_size 0;
     }
 
-    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
+    # Serve static files
-        try_files $uri/ =404;
+    location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
-        index index.php;
-    }
-
-    # Adding the cache control header for js, css and map files
-    # Make sure it is BELOW the PHP block
-    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
         try_files $uri /index.php$request_uri;
-        add_header Cache-Control "public, max-age=15778463";
+        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
-        # Add headers to serve security related headers (It is intended to
+        access_log off;     # Optional: Don't log access to assets
-        # have those duplicated to the ones above)
-        # Before enabling Strict-Transport-Security headers please read into
-        # this topic first.
-        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-        #
-        # WARNING: Only add the preload option once you read about
-        # the consequences in https://hstspreload.org/. This option
-        # will add the domain to a hardcoded list that is shipped
-        # in all major browsers and getting removed from this list
-        # could take several months.
-        add_header Referrer-Policy "no-referrer" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-Download-Options "noopen" always;
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Permitted-Cross-Domain-Policies "none" always;
-        add_header X-Robots-Tag "none" always;
-        add_header X-XSS-Protection "1; mode=block" always;
 
-        # Optional: Don't log access to assets
+        location ~ \.wasm$ {
-        access_log off;
+            default_type application/wasm;
+        }
     }
 
-    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
+    location ~ \.woff2?$ {
         try_files $uri /index.php$request_uri;
-        # Optional: Don't log access to other assets
+        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
-        access_log off;
+        access_log off;     # Optional: Don't log access to assets
+    }
+
+    # Rule borrowed from `.htaccess`
+    location /remote {
+        return 301 /remote.php$request_uri;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.php$request_uri;
     }
 }

plausible/docker-compose.clickhouse.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 services:
   clickhouse:

plausible/docker-compose.geoip.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 services:
   plausible:

plausible/docker-compose.google.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 services:
   plausible:

plausible/docker-compose.local.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 services:
   plausible:

plausible/docker-compose.smtp.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 services:
   plausible:

plausible/docker-compose.traefik.yml

@@ -1,8 +1,9 @@
-version: "3.8"
+---
 
 networks:
   default:
     name: ${TRAEFIK_NETWORK_NAME:-traefik}
+    external: true
 
 services:
   plausible:

plausible/docker-compose.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 volumes:
   plausible:

postgres/docker-compose.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 volumes:
   postgres:

prometheus/docker-compose.traefik.yml

@@ -1,10 +1,9 @@
 ---
 
-version: "3.8"
-
 networks:
   default:
     name: ${TRAEFIK_NETWORK_NAME:-traefik}
+    external: true
 
 services:
   prometheus:

redis/README.md

@@ -0,0 +1,6 @@
+# Redis
+
+## Information
+
+- Port par défaut : 6379
+- La configuration de mot de passe : https://github.com/docker-library/redis/issues/46

redis/docker-compose.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 volumes:
   redis:

registry/docker-compose.traefik.yml

@@ -3,6 +3,7 @@ version: '3.8'
 networks:
   default:
     name: ${TRAEFIK_NETWORK_NAME}
+    external: true
 
 services:
   registry:

signaturepdf/.env

@@ -0,0 +1,30 @@
+########
+# DOCKER
+
+#DOCKER_CONTEXT=
+#DOCKER_HOST=
+SERVICES_DIR=..
+COMPOSE_FILE=${SERVICES_DIR}/signaturepdf/docker-compose.yml:${SERVICES_DIR}/signaturepdf/docker-compose.traefik.yml
+#COMPOSE_PROJECT_NAME=
+
+#SIGNATUREPDF_VOLUME_NAME=
+#SIGNATUREPDF_CONTAINER_NAME=
+#SIGNATUREPDF_IMAGE=
+
+##############
+# SIGNATUREPDF
+
+SIGNATUREPDF_DOMAIN=pdf.cool.life
+UPLOAD_MAX_FILESIZE=24M
+POST_MAX_SIZE=24M
+MAX_FILE_UPLOADS=201
+PDF_STORAGE_PATH=/data
+DISABLE_ORGANIZATION=false
+PDF_DEMO_LINK=true
+
+#########
+# TRAEFIK
+
+#TRAEFIK_NETWORK_NAME=
+#TRAEFIK_ROUTER_NAME=
+#TRAEFIK_ENTRYPOINTS=

signaturepdf/README.md

@@ -0,0 +1,19 @@
+# Signature de PDF
+
+Logiciel WEB libre permettant de modifier un fichier PDF facilement.
+
+## Information
+
+Le service n'a pas d'image Docker officiel. Actuellement l'image a été construite et poussé sur Hub de Docker par Simon :
+
+```
+git clone git@github.com:24eme/signaturepdf.git
+cd signaturepdf
+docker build -t simonc/signaturepdf:latest .
+docker push simonc/signaturepdf:latest
+```
+
+## 🔗 Liens
+
+- [Github](https://github.com/24eme/signaturepdf)
+- [L'image Docker sur Docker Hub](https://hub.docker.com/r/simonc/signaturepdf)

signaturepdf/docker-compose.traefik.https.yml

@@ -0,0 +1,11 @@
+---
+services:
+  signaturepdf:
+    labels:
+      - traefik.http.routers.${TRAEFIK_ROUTER_NAME:-signaturepdf}.tls.certResolver=letsencrypt
+      # redirect HTTP to HTTPS
+      - traefik.http.routers.${TRAEFIK_ROUTER_NAME:-signaturepdf}_http.rule=Host(`${SIGNATUREPDF_DOMAIN:?err}`)
+      - traefik.http.routers.${TRAEFIK_ROUTER_NAME:-signaturepdf}_http.entrypoints=web
+      - traefik.http.middlewares.${TRAEFIK_ROUTER_NAME:-signaturepdf}_redirect_https.redirectscheme.scheme=https
+      - traefik.http.middlewares.${TRAEFIK_ROUTER_NAME:-signaturepdf}_redirect_https.redirectscheme.permanent=true
+      - traefik.http.routers.${TRAEFIK_ROUTER_NAME:-signaturepdf}_http.middlewares=${TRAEFIK_ROUTER_NAME:-signaturepdf}_redirect_https

signaturepdf/docker-compose.traefik.yml

@@ -0,0 +1,14 @@
+---
+
+networks:
+  default:
+    name: ${TRAEFIK_NETWORK_NAME:-traefik}
+    external: true
+
+services:
+  signaturepdf:
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=${TRAEFIK_NETWORK_NAME:-traefik}
+      - traefik.http.routers.${TRAEFIK_ROUTER_NAME:-signaturepdf}.rule=Host(`${SIGNATUREPDF_DOMAIN:?err}`)
+      - traefik.http.routers.${TRAEFIK_ROUTER_NAME:-signaturepdf}.entrypoints=${TRAEFIK_ENTRYPOINTS:-web}

signaturepdf/docker-compose.yml

@@ -0,0 +1,23 @@
+---
+
+volumes:
+  signaturepdf:
+    name: ${SIGNATUREPDF_VOLUME_NAME:-signaturepdf}
+
+services:
+  signaturepdf:
+    container_name: ${SIGNATUREPDF_CONTAINER_NAME:-signaturepdf}
+    image: ${SIGNATUREPDF_IMAGE:-simonc/signaturepdf:latest}
+    volumes:
+    - signaturepdf:/data
+    restart: always
+    environment:
+      SERVERNAME: ${SIGNATUREPDF_DOMAIN}
+      UPLOAD_MAX_FILESIZE: ${UPLOAD_MAX_FILESIZE}
+      POST_MAX_SIZE: ${POST_MAX_SIZE}
+      MAX_FILE_UPLOADS: ${MAX_FILE_UPLOADS}
+      PDF_STORAGE_PATH: ${PDF_STORAGE_PATH}
+      DISABLE_ORGANIZATION: ${DISABLE_ORGANIZATION}
+      PDF_DEMO_LINK: ${PDF_DEMO_LINK}
+      DEFAULT_LANGUAGE: ${DEFAULT_LANGUAGE:-fr_FR.UTF-8}
+      PDF_STORAGE_ENCRYPTION: ${PDF_STORAGE_ENCRYPTION:-true}

traefik/docker-compose.network.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 networks:
   default:

traefik/docker-compose.ovh.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 services:
   traefik:

traefik/docker-compose.redirect.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 services:
   traefik:

traefik/docker-compose.secure.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 networks:
   default:

traefik/docker-compose.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 volumes:
   traefik:
@@ -11,7 +11,7 @@ networks:
 services:
   traefik:
     container_name: ${TRAEFIK_CONTAINER_NAME:-traefik}
-    image: ${TRAEFIK_IMAGE:-traefik:v2.6.3}
+    image: ${TRAEFIK_IMAGE:-traefik:v2.10.4}
     restart: always
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
@@ -27,6 +27,7 @@ services:
       - traefik
     command:
       - --api.insecure=${TRAEFIK_API_INSECURE:-true}
+      - --api.disabledashboardad=${TRAEFIK_API_DISABLEDASHBOARDAD:-true}
       - --log.level=${TRAEFIK_LOG_LEVEL:-INFO}
       - --global.sendanonymoususage=${TRAEFIK_GLOBAL_SENDANONYMOUSUSAGE:-false}
       - --global.checknewversion=${TRAEFIK_GLOBAL_CHECKNEWVERSION:-false}

uptimekuma/docker-compose.local.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 services:
   uptimekuma:
     ports:

uptimekuma/docker-compose.traefik.yml

@@ -1,10 +1,9 @@
 ---
 
-version: "3.8"
-
 networks:
   default:
     name: ${TRAEFIK_NETWORK_NAME:-traefik}
+    external: true
 
 services:
   uptimekuma:

uptimekuma/docker-compose.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 volumes:
   uptimekuma:
     name: ${UPTIMEKUMA_VOLUME_NAME:-uptimekuma}

vaultwarden/.env

@@ -9,7 +9,7 @@ COMPOSE_FILE=${SERVICES_DIR}/vaultwarden/docker-compose.yml
 
 #VAULTWARDEN_IMAGE=
 #VAULTWARDEN_VOLUME_NAME=
-VAULTWARDEN_DOMAIN=vaultwarden.local
+SERVICE_DOMAIN=vaultwarden.local
 
 #VAULTWARDEN_LOG_LEVEL=
 #VAULTWARDEN_SIGNUPS_ALLOWED=false

vaultwarden/README.md

@@ -10,6 +10,20 @@ Toutes les variables de configuration du service sont disponibles à [cette adre
 
 [Les clients de Bitwarden](https://bitwarden.com/#download) sont compatibles avec le serveur.
 
+## Ajout des mails en Français
+
+Il est possible de [traduire les mails](https://github.com/dani-garcia/vaultwarden/wiki/Translating-the-email-templates).
+
+```
+. .env
+cd /var/lib/docker/volumes/${VAULTWARDEN_VOLUME_NAME}/_data/
+mkdir templates && cd templates
+wget https://github.com/YoanSimco/vaultwarden-lang-fr/archive/refs/heads/main.zip
+unzip main.zip
+mv vaultwarden-lang-fr/email .
+rm vaultwarden-lang-fr-main/ main.zip -rf
+```
+
 ## Liens
 
 - [Documentation][documentation]

vaultwarden/docker-compose.postgres.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 services:
   vaultwarden:
     depends_on:

vaultwarden/docker-compose.smtp.yml

@@ -1,7 +1,5 @@
 ---
 
-version: "3.8"
-
 services:
   vaultwarden:
     environment:

vaultwarden/docker-compose.sso.yml

@@ -0,0 +1,25 @@
+---
+
+services:
+  vaultwarden:
+    environment:
+      SSO_ENABLED: ${SSO_ENABLED:-true}
+      SSO_ONLY: ${SSO_ONLY:-true}
+      SSO_SIGNUPS_MATCH_EMAIL: ${SSO_SIGNUPS_MATCH_EMAIL:-true}
+      SSO_AUTHORITY: ${SSO_AUTHORITY}
+      SSO_SCOPES: ${SSO_SCOPES:-email groups profile offline_access}
+      SSO_AUTHORIZE_EXTRA_PARAMS: ${SSO_AUTHORIZE_EXTRA_PARAMS:-}
+      SSO_PKCE: ${SSO_PKCE:-false}
+      SSO_CLIENT_ID: ${SSO_CLIENT_ID}
+      SSO_CLIENT_SECRET: ${SSO_CLIENT_SECRET}
+      # SSO_MASTER_PASSWORD_POLICY: ${SSO_MASTER_PASSWORD_POLICY:-}
+      SSO_AUTH_ONLY_NOT_SESSION: ${SSO_AUTH_ONLY_NOT_SESSION:-false}
+      SSO_CLIENT_CACHE_EXPIRATION: ${SSO_CLIENT_CACHE_EXPIRATION:-0}
+      SSO_DEBUG_TOKENS: ${SSO_DEBUG_TOKENS:-false}
+
+      SSO_FRONTEND: ${SSO_FRONTEND:-override}
+      # SSO_EXPERIMENTAL_NO_MASTER_PWD: ${SSO_EXPERIMENTAL_NO_MASTER_PWD:-false}
+      SSO_ROLES_ENABLED: ${SSO_ROLES_ENABLED:-false}
+      SSO_ROLES_DEFAULT_TO_USER: ${SSO_ROLES_DEFAULT_TO_USER:-false}
+
+      SSO_ORGANIZATIONS_INVITE: ${SSO_ORGANIZATIONS_INVITE:-false}

vaultwarden/docker-compose.traefik.https.yml

@@ -0,0 +1,12 @@
+---
+
+services:
+  vaultwarden:
+    labels:
+      - traefik.http.routers.${TRAEFIK_ROUTER_NAME:-vaultwarden}.tls.certResolver=letsencrypt
+      # redirect HTTP to HTTPS
+      - traefik.http.routers.${TRAEFIK_ROUTER_NAME:-vaultwarden}_http.rule=Host(`${SERVICE_DOMAIN:?err}`)
+      - traefik.http.routers.${TRAEFIK_ROUTER_NAME:-vaultwarden}_http.entrypoints=web
+      - traefik.http.middlewares.${TRAEFIK_ROUTER_NAME:-vaultwarden}_redirect_https.redirectscheme.scheme=https
+      - traefik.http.middlewares.${TRAEFIK_ROUTER_NAME:-vaultwarden}_redirect_https.redirectscheme.permanent=true
+      - traefik.http.routers.${TRAEFIK_ROUTER_NAME:-vaultwarden}_http.middlewares=${TRAEFIK_ROUTER_NAME:-vaultwarden}_redirect_https

vaultwarden/docker-compose.traefik.yml

@@ -1,15 +1,14 @@
 ---
 
-version: "3.8"
-
 networks:
   default:
     name: ${TRAEFIK_NETWORK_NAME:-traefik}
+    external: true
 
 services:
   vaultwarden:
     labels:
       - traefik.enable=true
       - traefik.docker.network=${TRAEFIK_NETWORK_NAME:-traefik}
-      - traefik.http.routers.${TRAEFIK_ROUTER_NAME:-vaultwarden}.rule=Host(`${VAULTWARDEN_DOMAIN:?err}`)
+      - traefik.http.routers.${TRAEFIK_ROUTER_NAME:-vaultwarden}.rule=Host(`${SERVICE_DOMAIN:?err}`)
       - traefik.http.routers.${TRAEFIK_ROUTER_NAME:-vaultwarden}.entrypoints=${TRAEFIK_ENTRYPOINTS:-web}

vaultwarden/docker-compose.yml

@@ -1,22 +1,26 @@
 ---
 
-version: "3.8"
-
 volumes:
   vaultwarden:
     name: ${VAULTWARDEN_VOLUME_NAME:-vaultwarden}
 
 services:
   vaultwarden:
-    image:  ${VAULTWARDEN_IMAGE:-vaultwarden/server:1.27.0-alpine}
+    image:  ${VAULTWARDEN_IMAGE:-vaultwarden/server:1.34.1-alpine}
     container_name: ${VAULTWARDEN_CONTAINER_NAME:-vaultwarden}
     restart: always
     environment:
       ADMIN_TOKEN: ${VAULTWARDEN_ADMIN_TOKEN:?err}
-      DOMAIN: https://${VAULTWARDEN_DOMAIN:?err}
+      DOMAIN: https://${SERVICE_DOMAIN:?err}
+      SENDS_ALLOWED: ${SENDS_ALLOWED:-true}
+      TRASH_AUTO_DELETE_DAYS: ${TRASH_AUTO_DELETE_DAYS:-}
+      DISABLE_ICON_DOWNLOAD: ${DISABLE_ICON_DOWNLOAD:-false}
+      SIGNUPS_ALLOWED: ${VAULTWARDEN_SIGNUPS_ALLOWED:-true}
+      SIGNUPS_VERIFY: ${SIGNUPS_VERIFY:-false}
+      SIGNUPS_DOMAINS_WHITELIST: ${SIGNUPS_DOMAINS_WHITELIST:-}
       INVITATION_ORG_NAME: ${VAULTWARDEN_INVITATION_ORG_NAME:-Vaultwarden}
       LOG_LEVEL: ${VAULTWARDEN_LOG_LEVEL:-Info}
-      SIGNUPS_ALLOWED: ${VAULTWARDEN_SIGNUPS_ALLOWED:-true}
+      ORG_GROUPS_ENABLED: ${VAULTWARDEN_ORG_GROUPS_ENABLED:-false}
     volumes:
       - vaultwarden:/data
       - /etc/timezone:/etc/timezone:ro

vikunja/docker-compose.legal.yml

@@ -0,0 +1,9 @@
+---
+
+version: "3.8"
+
+services:
+  vikunja_api:
+    environment:
+      VIKUNJA_LEGAL_IMPRINTURL: ${VIKUNJA_LEGAL_IMPRINTURL}
+      VIKUNJA_LEGAL_PRIVACYURL: ${VIKUNJA_LEGAL_PRIVACYURL}

vikunja/docker-compose.local.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 services:
   vikunja_api:

vikunja/docker-compose.prometheus.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 # https://vikunja.io/docs/config-options/#metrics
 

vikunja/docker-compose.redis.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 # https://vikunja.io/docs/config-options/#redis
 

vikunja/docker-compose.smtp.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 # https://vikunja.io/docs/config-options/#mailer
 

vikunja/docker-compose.traefik.yml

@@ -1,8 +1,9 @@
-version: "3.8"
+---
 
 networks:
   default:
     name: ${TRAEFIK_NETWORK_NAME:-traefik}
+    external: true
 
 # https://vikunja.io/docs/full-docker-example/#example-with-traefik-2
 

vikunja/docker-compose.yml

@@ -1,4 +1,4 @@
-version: "3.8"
+---
 
 # https://vikunja.io/docs/config-options
 # https://vikunja.io/docs/full-docker-example/
@@ -10,13 +10,30 @@ volumes:
 services:
   vikunja_api:
     container_name: ${VIKUNJA_CONTAINER_NAME:-vikunja}_api
-    image: ${VIKUNJA_API_IMAGE:-vikunja/api:0.18.1}
+    image: ${VIKUNJA_API_IMAGE:-vikunja/api:0.21.0}
     restart: always
     environment:
+      VIKUNJA_DATABASE_PATH: ${VIKUNJA_DATABASE_PATH:-./vikunja.db}
+
+      VIKUNJA_DEFAULTSETTINGS_AVATAR_PROVIDER: ${VIKUNJA_DEFAULTSETTINGS_AVATAR_PROVIDER:-initials}
+      VIKUNJA_DEFAULTSETTINGS_AVATAR_FILE_ID: ${VIKUNJA_DEFAULTSETTINGS_AVATAR_FILE_ID:-0}
+      VIKUNJA_DEFAULTSETTINGS_EMAIL_REMINDERS_ENABLED: ${VIKUNJA_DEFAULTSETTINGS_EMAIL_REMINDERS_ENABLED:-false}
+      VIKUNJA_DEFAULTSETTINGS_DISCOVERABLE_BY_NAME: ${VIKUNJA_DEFAULTSETTINGS_DISCOVERABLE_BY_NAME:-true}
+      VIKUNJA_DEFAULTSETTINGS_DISCOVERABLE_BY_EMAIL: ${VIKUNJA_DEFAULTSETTINGS_DISCOVERABLE_BY_EMAIL:-true}
+      VIKUNJA_DEFAULTSETTINGS_OVERDUE_TASKS_REMINDERS_ENABLED: ${VIKUNJA_DEFAULTSETTINGS_OVERDUE_TASKS_REMINDERS_ENABLED:-false}
+      VIKUNJA_DEFAULTSETTINGS_OVERDUE_TASKS_REMINDERS_TIME: ${VIKUNJA_DEFAULTSETTINGS_OVERDUE_TASKS_REMINDERS_TIME:-9:00}
+      VIKUNJA_DEFAULTSETTINGS_DEFAULT_PROJECT_ID: ${VIKUNJA_DEFAULTSETTINGS_DEFAULT_PROJECT_ID:-0}
+      VIKUNJA_DEFAULTSETTINGS_WEEK_START: ${VIKUNJA_DEFAULTSETTINGS_WEEK_START:-1}
+      VIKUNJA_DEFAULTSETTINGS_LANGUAGE: ${VIKUNJA_DEFAULTSETTINGS_LANGUAGE:-fr-FR}
+      VIKUNJA_DEFAULTSETTINGS_TIMEZONE: ${VIKUNJA_DEFAULTSETTINGS_TIMEZONE:-Europe/Paris}
+
+      VIKUNJA_FILES_BASEPATH: ${VIKUNJA_FILES_BASEPATH:-./files}
+      VIKUNJA_FILES_MAXSIZE: ${VIKUNJA_FILES_MAXSIZE:-20MB}
+
+
       VIKUNJA_SERVICE_JWTSECRET: ${VIKUNJA_SERVICE_JWTSECRET}
       VIKUNJA_SERVICE_JWTTTL: ${VIKUNJA_SERVICE_JWTTTL:-259200}
       VIKUNJA_SERVICE_JWTTTLLONG: ${VIKUNJA_SERVICE_JWTTTLLONG:-2592000}
-
       VIKUNJA_SERVICE_FRONTENDURL: ${VIKUNJA_SERVICE_FRONTENDURL:?err}
       VIKUNJA_SERVICE_MAXITEMSPERPAGE: ${VIKUNJA_SERVICE_MAXITEMSPERPAGE:-50}
       VIKUNJA_SERVICE_ENABLECALDAV: ${VIKUNJA_SERVICE_ENABLECALDAV:-true}
@@ -28,18 +45,17 @@ services:
       VIKUNJA_SERVICE_ENABLETOTP: ${VIKUNJA_SERVICE_ENABLETOTP:-true}
       VIKUNJA_SERVICE_ENABLEEMAILREMINDERS: ${VIKUNJA_SERVICE_ENABLEEMAILREMINDERS:-true}
       VIKUNJA_SERVICE_ENABLEUSERDELETION: ${VIKUNJA_SERVICE_ENABLEUSERDELETION:-true}
+      VIKUNJA_SERVICE_ROOTPATH: ${VIKUNJA_SERVICE_ROOTPATH:-/app/vikunja/}
 
-      VIKUNJA_FILES_BASEPATH: ${VIKUNJA_FILES_BASEPATH:-./files}
-      VIKUNJA_FILES_MAXSIZE: ${VIKUNJA_FILES_MAXSIZE:-20MB}
       PUID: ${VIKUNJA_PUID:-1000}
       PGID: ${VIKUNJA_PGID:-1000}
     volumes:
-      - vikunja:/app/vikunja/files
+      - vikunja:${VIKUNJA_VOLUME_PATH:-/app/vikunja/files}
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
   vikunja_frontend:
     container_name: ${VIKUNJA_CONTAINER_NAME:-vikunja}_frontend
-    image: ${VIKUNJA_FRONTEND_IMAGE:-vikunja/frontend:0.18.2}
+    image: ${VIKUNJA_FRONTEND_IMAGE:-vikunja/frontend:0.21.0}
     restart: always
     depends_on:
       - vikunja_api