chore: traefik without watchtower

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitignore

@@ -1,3 +1,4 @@
 .claude
 .env
 *.sql
+*.log

README.md

@@ -13,13 +13,19 @@ Each stack is independently deployable with its own `compose.yml` and `.env`. Al
 | `watchtower` | Automatic container updates | watchtower |
 | `umami` | Web analytics | umami, db |
 | `immich` | Photo & video management | immich, ml, redis, db |
-| `joplin` | Note sync server | joplin, db |
+| `blinko` | AI-powered personal notes | blinko, db |
 | `mattermost` | Team chat | mattermost, db |
 | `gitea` | Git hosting + CI runner | gitea, runner, db |
 | `coolify` | Deployment platform | coolify, realtime, redis, db |
 | `sexy` | pivoine.art website | directus, frontend, redis, db |
 | `vaultwarden` | Password manager | vaultwarden |
 
+## Tools
+
+| Directory | Description |
+|---|---|
+| `_backup` | Daily restic backups to HiDrive (host script + systemd timer) |
+
 ## Deployment
 
 ```bash
@@ -34,6 +40,32 @@ ssh vps 'cd ~/stacks/<stack> && docker compose up -d'
 
 All stacks share the external `falcon_network` Docker network for inter-service communication (e.g. traefik routing, mailpit SMTP).
 
+## Backup
+
+The `_backup` stack runs a daily restic backup at 3:00 AM. It dumps all Postgres databases, then backs up the entire `.data/` directory to HiDrive. Retention: 7 daily, 4 weekly, 6 monthly snapshots. Notifications go to Mattermost.
+
+```bash
+# Deploy backup stack
+rsync -avz _backup/ vps:~/stacks/_backup/
+
+# Initialize restic repo (first time only)
+ssh vps 'source ~/stacks/_backup/.env && restic init -r /mnt/hidrive/users/valknar/Backup/stacks'
+
+# Install systemd units
+ssh vps 'ln -sf ~/stacks/_backup/stacks-backup.service /etc/systemd/system/ && \
+         ln -sf ~/stacks/_backup/stacks-backup.timer /etc/systemd/system/ && \
+         systemctl daemon-reload && systemctl enable --now stacks-backup.timer'
+
+# Manual test run
+ssh vps '~/stacks/_backup/backup.sh'
+
+# Check timer status
+ssh vps 'systemctl status stacks-backup.timer'
+
+# View snapshots
+ssh vps 'source ~/stacks/_backup/.env && restic -r /mnt/hidrive/users/valknar/Backup/stacks snapshots'
+```
+
 ## Data
 
 Persistent data is stored in `~/stacks/.data/<stack>/` on the VPS using bind mounts. Database stacks use dedicated Postgres instances with simple credentials.

_backup/backup.sh

@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+STACKS_DIR="$(dirname "$SCRIPT_DIR")"
+DATA_DIR="$STACKS_DIR/.data"
+DUMP_DIR="$DATA_DIR/backup/dumps"
+LOG_FILE="$SCRIPT_DIR/backup.log"
+
+# Load environment
+set -a
+source "$SCRIPT_DIR/.env"
+set +a
+
+export RESTIC_REPOSITORY RESTIC_PASSWORD
+
+log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$LOG_FILE"; }
+
+notify() {
+  local color="$1" text="$2"
+  curl -sf -o /dev/null -X POST "$MATTERMOST_WEBHOOK" \
+    -H 'Content-Type: application/json' \
+    -d "{\"attachments\":[{\"color\":\"$color\",\"text\":\"$text\"}]}"
+}
+
+# Truncate log on each run
+: > "$LOG_FILE"
+
+log "Starting backup"
+
+# --- Postgres dumps ---
+mkdir -p "$DUMP_DIR"
+
+declare -A DATABASES=(
+  [umami_db]="umami:umami"
+  [blinko_db]="blinko:blinko"
+  [gitea_db]="gitea:gitea"
+  [mattermost_db]="mattermost:mattermost"
+  [sexy_db]="sexy:sexy"
+  [immich_db]="immich:immich"
+  [coolify_db]="coolify:coolify"
+)
+
+dump_errors=()
+for container in "${!DATABASES[@]}"; do
+  IFS=: read -r user db <<< "${DATABASES[$container]}"
+  log "Dumping $db from $container"
+  if docker exec "$container" pg_dump -U "$user" "$db" > "$DUMP_DIR/$db.sql" 2>>"$LOG_FILE"; then
+    log "  OK ($(du -h "$DUMP_DIR/$db.sql" | cut -f1))"
+  else
+    log "  FAILED: $container"
+    dump_errors+=("$db")
+  fi
+done
+
+if [ ${#dump_errors[@]} -gt 0 ]; then
+  log "WARNING: Failed dumps: ${dump_errors[*]}"
+fi
+
+# --- Restic backup ---
+log "Running restic backup"
+if ! restic backup "$DATA_DIR" --tag stacks 2>&1 | tee -a "$LOG_FILE"; then
+  log "FATAL: restic backup failed"
+  notify "#cc0000" ":x: **Backup failed** — restic backup error. Check \`$LOG_FILE\`."
+  exit 1
+fi
+
+# --- Restic prune ---
+log "Pruning old snapshots"
+if ! restic forget --prune --keep-daily 7 --keep-weekly 4 --keep-monthly 6 2>&1 | tee -a "$LOG_FILE"; then
+  log "WARNING: restic forget failed"
+fi
+
+# --- Summary ---
+snapshot_info=$(restic snapshots --latest 1 --compact 2>/dev/null | tail -3 | head -1)
+repo_stats=$(restic stats 2>/dev/null | grep "Total Size" || true)
+
+summary=":white_check_mark: **Backup complete**"
+[ ${#dump_errors[@]} -gt 0 ] && summary+="\n:warning: Failed dumps: ${dump_errors[*]}"
+summary+="\nLatest: \`$snapshot_info\`"
+[ -n "$repo_stats" ] && summary+="\nRepo: $repo_stats"
+
+notify "#36a64f" "$summary"
+log "Backup complete"

_backup/stacks-backup.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Backup stacks data to HiDrive via restic
+After=network-online.target docker.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/root/stacks/_backup/backup.sh
+Environment=HOME=/root

_backup/stacks-backup.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Daily stacks backup at 3:00 AM
+
+[Timer]
+OnCalendar=*-*-* 03:00:00 Europe/Amsterdam
+Persistent=true
+
+[Install]
+WantedBy=timers.target

api/auth.conf.template

@@ -0,0 +1,9 @@
+server {
+    listen 8080;
+    location / {
+        if ($http_x_api_key != '${API_TOKEN}') {
+            return 401;
+        }
+        return 200;
+    }
+}

api/compose.yml

@@ -0,0 +1,103 @@
+services:
+  auth:
+    image: nginx:alpine
+    container_name: api_auth
+    volumes:
+      - ./auth.conf.template:/etc/nginx/templates/default.conf.template:ro
+    environment:
+      - API_TOKEN=${API_TOKEN}
+    restart: always
+    networks:
+      - compose_network
+
+  freepik:
+    image: dev.pivoine.art/valknar/freepik-api:latest
+    container_name: api_freepik
+    environment:
+      - FP_FREEPIK_API_KEY=${FP_FREEPIK_API_KEY}
+      - FP_WEBHOOK_SECRET=${FP_WEBHOOK_SECRET}
+    volumes:
+      - ../.data/api/freepik/outputs:/app/outputs
+      - ../.data/api/freepik/temp:/app/temp
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.api-redirect-web-secure.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.api-auth.forwardauth.address=http://api_auth:8080"
+      - "traefik.http.middlewares.api-freepik-strip.stripprefix.prefixes=/freepik"
+      - "traefik.http.middlewares.api-freepik-addprefix.addprefix.prefix=/api/v1"
+      - "traefik.http.routers.api-freepik-web.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/freepik`)"
+      - "traefik.http.routers.api-freepik-web.entrypoints=web"
+      - "traefik.http.routers.api-freepik-web.middlewares=api-redirect-web-secure"
+      - "traefik.http.routers.api-freepik-web-secure.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/freepik`)"
+      - "traefik.http.routers.api-freepik-web-secure.entrypoints=web-secure"
+      - "traefik.http.routers.api-freepik-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.api-freepik-web-secure.middlewares=api-auth,api-freepik-strip,api-freepik-addprefix,api-rate-limit@file"
+      - "traefik.http.services.api-freepik-web-secure.loadbalancer.server.port=8000"
+      - "traefik.docker.network=${NETWORK_NAME}"
+      - "com.centurylinklabs.watchtower.enable=true"
+    networks:
+      - compose_network
+
+  facefusion:
+    image: dev.pivoine.art/valknar/facefusion-api:latest
+    container_name: api_facefusion
+    environment:
+      - FF_EXECUTION_PROVIDERS=["cpu"]
+    volumes:
+      - ../.data/api/facefusion/uploads:/app/uploads
+      - ../.data/api/facefusion/outputs:/app/outputs
+      - ../.data/api/facefusion/models:/app/models
+      - ../.data/api/facefusion/temp:/app/temp
+      - ../.data/api/facefusion/jobs:/app/jobs
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.api-facefusion-strip.stripprefix.prefixes=/facefusion"
+      - "traefik.http.middlewares.api-facefusion-addprefix.addprefix.prefix=/api/v1"
+      - "traefik.http.routers.api-facefusion-web.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/facefusion`)"
+      - "traefik.http.routers.api-facefusion-web.entrypoints=web"
+      - "traefik.http.routers.api-facefusion-web.middlewares=api-redirect-web-secure"
+      - "traefik.http.routers.api-facefusion-web-secure.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/facefusion`)"
+      - "traefik.http.routers.api-facefusion-web-secure.entrypoints=web-secure"
+      - "traefik.http.routers.api-facefusion-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.api-facefusion-web-secure.middlewares=api-auth,api-facefusion-strip,api-facefusion-addprefix,api-rate-limit@file"
+      - "traefik.http.services.api-facefusion-web-secure.loadbalancer.server.port=8000"
+      - "traefik.docker.network=${NETWORK_NAME}"
+      - "com.centurylinklabs.watchtower.enable=true"
+    networks:
+      - compose_network
+
+  realesrgan:
+    image: dev.pivoine.art/valknar/realesrgan-api:latest
+    container_name: api_realesrgan
+    environment:
+      - RSR_EXECUTION_PROVIDERS=["cpu"]
+    volumes:
+      - ../.data/api/realesrgan/uploads:/data/uploads
+      - ../.data/api/realesrgan/outputs:/data/outputs
+      - ../.data/api/realesrgan/models:/data/models
+      - ../.data/api/realesrgan/temp:/data/temp
+      - ../.data/api/realesrgan/jobs:/data/jobs
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.api-realesrgan-strip.stripprefix.prefixes=/realesrgan"
+      - "traefik.http.middlewares.api-realesrgan-addprefix.addprefix.prefix=/api/v1"
+      - "traefik.http.routers.api-realesrgan-web.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/realesrgan`)"
+      - "traefik.http.routers.api-realesrgan-web.entrypoints=web"
+      - "traefik.http.routers.api-realesrgan-web.middlewares=api-redirect-web-secure"
+      - "traefik.http.routers.api-realesrgan-web-secure.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/realesrgan`)"
+      - "traefik.http.routers.api-realesrgan-web-secure.entrypoints=web-secure"
+      - "traefik.http.routers.api-realesrgan-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.api-realesrgan-web-secure.middlewares=api-auth,api-realesrgan-strip,api-realesrgan-addprefix,api-rate-limit@file"
+      - "traefik.http.services.api-realesrgan-web-secure.loadbalancer.server.port=8000"
+      - "traefik.docker.network=${NETWORK_NAME}"
+      - "com.centurylinklabs.watchtower.enable=true"
+    networks:
+      - compose_network
+
+networks:
+  compose_network:
+    name: ${NETWORK_NAME}
+    external: true

blinko/compose.yml

@@ -0,0 +1,54 @@
+---
+services:
+  blinko:
+    image: blinkospace/blinko:latest
+    container_name: blinko
+    environment:
+      TZ: ${TIMEZONE:-Europe/Amsterdam}
+      NODE_ENV: production
+      NEXTAUTH_URL: https://${TRAEFIK_HOST}
+      NEXT_PUBLIC_BASE_URL: https://${TRAEFIK_HOST}
+      NEXTAUTH_SECRET: ${BLINKO_NEXTAUTH_SECRET}
+      DATABASE_URL: postgresql://blinko:blinko@blinko_db:5432/blinko
+    volumes:
+      - ../.data/blinko/app:/app/.blinko
+    depends_on:
+      db:
+        condition: service_healthy
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.blinko-redirect-web-secure.redirectscheme.scheme=https"
+      - "traefik.http.routers.blinko-web.middlewares=blinko-redirect-web-secure"
+      - "traefik.http.routers.blinko-web.rule=Host(`${TRAEFIK_HOST}`)"
+      - "traefik.http.routers.blinko-web.entrypoints=web"
+      - "traefik.http.routers.blinko-web-secure.rule=Host(`${TRAEFIK_HOST}`)"
+      - "traefik.http.routers.blinko-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.blinko-web-secure.entrypoints=web-secure"
+      - "traefik.http.routers.blinko-web-secure.middlewares=security-headers@file"
+      - "traefik.http.services.blinko-web-secure.loadbalancer.server.port=1111"
+      - "traefik.docker.network=${NETWORK_NAME}"
+      - "com.centurylinklabs.watchtower.enable=true"
+    networks:
+      - compose_network
+  db:
+    image: postgres:14-alpine
+    container_name: blinko_db
+    environment:
+      POSTGRES_DB: blinko
+      POSTGRES_USER: blinko
+      POSTGRES_PASSWORD: blinko
+    volumes:
+      - ../.data/blinko/db:/var/lib/postgresql/data
+    restart: always
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    networks:
+      - compose_network
+networks:
+  compose_network:
+    name: ${NETWORK_NAME}
+    external: true

gitea/runner-config.yaml

@@ -3,7 +3,7 @@ log:
 
 runner:
   file: .runner
-  capacity: 1
+  capacity: 4
   envs: {}
   env_file: .env
   timeout: 3h

joplin/compose.yml

@@ -1,59 +0,0 @@
----
-services:
-  joplin:
-    image: joplin/server:latest
-    container_name: joplin
-    environment:
-      TZ: ${TIMEZONE:-Europe/Amsterdam}
-      APP_PORT: 22300
-      APP_BASE_URL: https://${TRAEFIK_HOST}
-      DB_CLIENT: pg
-      POSTGRES_HOST: joplin_db
-      POSTGRES_PORT: 5432
-      POSTGRES_DATABASE: joplin
-      POSTGRES_USER: joplin
-      POSTGRES_PASSWORD: joplin
-      MAILER_ENABLED: 1
-      MAILER_HOST: mailpit
-      MAILER_PORT: 1025
-      MAILER_SECURE: 0
-    depends_on:
-      db:
-        condition: service_healthy
-    restart: always
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.middlewares.joplin-redirect-web-secure.redirectscheme.scheme=https"
-      - "traefik.http.routers.joplin-web.middlewares=joplin-redirect-web-secure"
-      - "traefik.http.routers.joplin-web.rule=Host(`${TRAEFIK_HOST}`)"
-      - "traefik.http.routers.joplin-web.entrypoints=web"
-      - "traefik.http.routers.joplin-web-secure.rule=Host(`${TRAEFIK_HOST}`)"
-      - "traefik.http.routers.joplin-web-secure.tls.certresolver=resolver"
-      - "traefik.http.routers.joplin-web-secure.entrypoints=web-secure"
-      - "traefik.http.routers.joplin-web-secure.middlewares=security-headers@file"
-      - "traefik.http.services.joplin-web-secure.loadbalancer.server.port=22300"
-      - "traefik.docker.network=${NETWORK_NAME}"
-      - "com.centurylinklabs.watchtower.enable=true"
-    networks:
-      - compose_network
-  db:
-    image: postgres:16-alpine
-    container_name: joplin_db
-    environment:
-      POSTGRES_DB: joplin
-      POSTGRES_USER: joplin
-      POSTGRES_PASSWORD: joplin
-    volumes:
-      - ../.data/joplin/db:/var/lib/postgresql/data
-    restart: always
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}"]
-      interval: 5s
-      timeout: 5s
-      retries: 5
-    networks:
-      - compose_network
-networks:
-  compose_network:
-    name: ${NETWORK_NAME}
-    external: true

palina/compose.yml

@@ -0,0 +1,59 @@
+---
+services:
+  ghost:
+    image: ghost:latest
+    container_name: palina_ghost
+    restart: always
+    environment:
+      database__client: mysql
+      database__connection__host: palina_db
+      database__connection__user: root
+      database__connection__password: palina
+      database__connection__database: palina
+      mail__transport: SMTP
+      mail__options__service: Mailpit
+      mail__options__host: mailpit
+      mail__options__port: 1025
+      mail__options__secure: false
+      mail__options__auth__user: ""
+      mail__options__auth__pass: ""
+      url: https://${TRAEFIK_HOST}
+    depends_on:
+      db:
+        condition: service_healthy
+    volumes:
+      - ../.data/ghost/content:/var/lib/ghost/content
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.palina-redirect-web-secure.redirectscheme.scheme=https"
+      - "traefik.http.routers.palina-web.middlewares=palina-redirect-web-secure"
+      - "traefik.http.routers.palina-web.rule=Host(`${TRAEFIK_HOST}`)"
+      - "traefik.http.routers.palina-web.entrypoints=web"
+      - "traefik.http.routers.palina-web-secure.rule=Host(`${TRAEFIK_HOST}`)"
+      - "traefik.http.routers.palina-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.palina-web-secure.entrypoints=web-secure"
+      - "traefik.http.routers.palina-web-secure.middlewares=security-headers@file"
+      - "traefik.http.services.palina-web-secure.loadbalancer.server.port=2368"
+      - "traefik.docker.network=${NETWORK_NAME}"
+      - "com.centurylinklabs.watchtower.enable=true"
+    networks:
+      - compose_network
+  db:
+    image: mysql:8.0
+    container_name: palina_db
+    restart: always
+    environment:
+      MYSQL_ROOT_PASSWORD: palina
+    volumes:
+      - ../.data/ghost/db:/var/lib/mysql
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    networks:
+      - compose_network
+networks:
+  compose_network:
+    name: ${NETWORK_NAME}
+    external: true

sexy/compose.yml

@@ -11,9 +11,8 @@ services:
       NODE_ENV: production
       PUBLIC_API_URL: https://${TRAEFIK_HOST}/api
       PUBLIC_URL: https://${TRAEFIK_HOST}
-      PUBLIC_UMAMI_ID: ""
+      PUBLIC_UMAMI_ID: ${UMAMI_ID}
-    volumes:
+      PUBLIC_UMAMI_SCRIPT: ${UMAMI_SCRIPT}
-      - ../.data/sexy/bundle:/home/node/app/packages/bundle
     restart: always
     labels:
       - "traefik.enable=true"
@@ -31,40 +30,30 @@ services:
       - "com.centurylinklabs.watchtower.enable=true"
     networks:
       - compose_network
-  directus:
+  backend:
-    image: directus/directus:11.12.0
+    image: dev.pivoine.art/valknar/sexy-backend:latest
-    container_name: sexy_directus
+    container_name: sexy_backend
     environment:
       TZ: ${TIMEZONE:-Europe/Amsterdam}
-      SECRET: ${DIRECTUS_SECRET}
+      NODE_ENV: production
-      DB_CLIENT: pg
+      PORT: 4000
-      DB_HOST: sexy_db
+      DATABASE_URL: postgresql://${DB_USER:-sexy}:${DB_PASSWORD:-sexy}@sexy_db:5432/${DB_NAME:-sexy}
-      DB_PORT: 5432
+      REDIS_URL: redis://sexy_redis:6379
-      DB_DATABASE: directus
+      UPLOAD_DIR: /data/uploads
-      DB_USER: directus
-      DB_PASSWORD: directus
-      CACHE_ENABLED: "true"
-      CACHE_AUTO_PURGE: "true"
-      CACHE_STORE: redis
-      REDIS: redis://sexy_redis:6379
-      WEBSOCKETS_ENABLED: "true"
-      PUBLIC_URL: https://${TRAEFIK_HOST}/api
-      CORS_ENABLED: "true"
       CORS_ORIGIN: https://${TRAEFIK_HOST}
+      COOKIE_SECRET: ${COOKIE_SECRET}
       SESSION_COOKIE_SECURE: "true"
       SESSION_COOKIE_SAME_SITE: strict
       SESSION_COOKIE_DOMAIN: ${TRAEFIK_HOST}
-      EXTENSIONS_PATH: ./extensions
+      PUBLIC_URL: https://${TRAEFIK_HOST}
-      EXTENSIONS_AUTO_RELOAD: "false"
+      SMTP_HOST: ${SMTP_HOST:-mailpit}
-      CONTENT_SECURITY_POLICY_DIRECTIVES__FRAME_SRC: https://${TRAEFIK_HOST}
+      SMTP_PORT: ${SMTP_PORT:-1025}
-      EMAIL_TRANSPORT: smtp
+      SMTP_SECURE: ${SMTP_SECURE:-false}
-      EMAIL_SMTP_HOST: mailpit
+      SMTP_USER: ${SMTP_USER:-}
-      EMAIL_SMTP_PORT: 1025
+      SMTP_PASS: ${SMTP_PASS:-}
-      USER_REGISTER_URL_ALLOW_LIST: https://${TRAEFIK_HOST}/signup/verify
+      EMAIL_FROM: ${EMAIL_FROM:-noreply@sexy.pivoine.art}
-      PASSWORD_RESET_URL_ALLOW_LIST: https://${TRAEFIK_HOST}/password/reset
     volumes:
-      - ../.data/sexy/uploads:/directus/uploads
+      - ../.data/sexy/uploads:/data/uploads
-      - ../.data/sexy/bundle:/directus/extensions/sexy.pivoine.art
     depends_on:
       db:
         condition: service_healthy
@@ -73,17 +62,17 @@ services:
     restart: always
     labels:
       - "traefik.enable=true"
-      - "traefik.http.middlewares.sexy-directus-redirect-web-secure.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.sexy-backend-redirect-web-secure.redirectscheme.scheme=https"
-      - "traefik.http.routers.sexy-directus-web.middlewares=sexy-directus-redirect-web-secure"
+      - "traefik.http.routers.sexy-backend-web.middlewares=sexy-backend-redirect-web-secure"
-      - "traefik.http.routers.sexy-directus-web.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/api`)"
+      - "traefik.http.routers.sexy-backend-web.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/api`)"
-      - "traefik.http.routers.sexy-directus-web.entrypoints=web"
+      - "traefik.http.routers.sexy-backend-web.entrypoints=web"
-      - "traefik.http.routers.sexy-directus-web-secure.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/api`)"
+      - "traefik.http.routers.sexy-backend-web-secure.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/api`)"
-      - "traefik.http.routers.sexy-directus-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.sexy-backend-web-secure.tls.certresolver=resolver"
-      - "traefik.http.routers.sexy-directus-web-secure.entrypoints=web-secure"
+      - "traefik.http.routers.sexy-backend-web-secure.entrypoints=web-secure"
-      - "traefik.http.middlewares.sexy-directus-compress.compress=true"
+      - "traefik.http.middlewares.sexy-backend-strip.stripprefix.prefixes=/api"
-      - "traefik.http.middlewares.sexy-directus-strip.stripprefix.prefixes=/api"
+      - "traefik.http.middlewares.sexy-backend-compress.compress=true"
-      - "traefik.http.routers.sexy-directus-web-secure.middlewares=sexy-directus-strip,sexy-directus-compress"
+      - "traefik.http.routers.sexy-backend-web-secure.middlewares=sexy-backend-strip,sexy-backend-compress"
-      - "traefik.http.services.sexy-directus-web-secure.loadbalancer.server.port=8055"
+      - "traefik.http.services.sexy-backend-web-secure.loadbalancer.server.port=4000"
       - "traefik.docker.network=${NETWORK_NAME}"
       - "com.centurylinklabs.watchtower.enable=true"
     networks:
@@ -103,9 +92,9 @@ services:
     image: postgres:16-alpine
     container_name: sexy_db
     environment:
-      POSTGRES_DB: directus
+      POSTGRES_DB: ${DB_NAME:-sexy}
-      POSTGRES_USER: directus
+      POSTGRES_USER: ${DB_USER:-sexy}
-      POSTGRES_PASSWORD: directus
+      POSTGRES_PASSWORD: ${DB_PASSWORD:-sexy}
     volumes:
       - ../.data/sexy/db:/var/lib/postgresql/data
     restart: always

traefik/compose.yml

@@ -1,7 +1,7 @@
 ---
 services:
   traefik:
-    image: traefik:latest
+    image: traefik:v3
     container_name: traefik
     command:
       - "--api.dashboard=false"
@@ -38,8 +38,6 @@ services:
       timeout: 5s
       retries: 3
       start_period: 10s
-    labels:
-      - "com.centurylinklabs.watchtower.enable=true"
     networks:
       - compose_network
       - coolify_network

umami/compose.yml

@@ -1,11 +1,11 @@
 ---
 services:
   umami:
-    image: ghcr.io/umami-software/umami:latest
+    image: ghcr.io/umami-software/umami:postgresql-latest
     container_name: umami
     environment:
       TZ: ${TIMEZONE:-Europe/Amsterdam}
-      DATABASE_URL: postgresql://umami:umami@db:5432/umami
+      DATABASE_URL: postgresql://umami:umami@umami_db:5432/umami
       APP_SECRET: ${APP_SECRET}
     depends_on:
       db:

vaultwarden/compose.yml

@@ -11,6 +11,7 @@ services:
       INVITATIONS_ALLOWED: "true"
       SHOW_PASSWORD_HINT: "false"
       SMTP_HOST: mailpit
+      SMTP_FROM: ${SMTP_FROM}
       SMTP_FROM_NAME: Vaultwarden
       SMTP_SECURITY: off
       SMTP_PORT: 1025