fix: Make it push pushable

file browser, n8n, portainer, syncthing, uptime-kuma, watchtower

.gitignore

@@ -4,3 +4,7 @@ data/
 
 caddy/data/
 caddy/config/
+
+filebrowser/
+
+.claude/

caddy/Caddyfile

@@ -18,10 +18,6 @@
 
 # Public — only webhook endpoint, no UI
 n8n.sauravdhakal.com.np {
-    reverse_proxy localhost:5678 {
-        # Only allow webhook paths publicly
-        header_up Host {host}
-    }
     @public path /webhook/* /webhook-test/*
     handle @public {
         reverse_proxy localhost:5678
@@ -54,10 +50,86 @@ actual.sauravdhakal.com.np {
 
 immich.sauravdhakal.com.np {
     bind 100.81.85.182
-    reverse_proxy immich-server:8082
+    reverse_proxy localhost:8082
 }
 
 filebrowser.sauravdhakal.com.np {
     bind 100.81.85.182
-    reverse_proxy filebrowser:8083
+    reverse_proxy localhost:8083
 }
+
+syncthing.sauravdhakal.com.np {
+    bind 100.81.85.182
+    reverse_proxy localhost:8384
+}
+
+portainer.sauravdhakal.com.np {
+    bind 100.81.85.182
+    reverse_proxy localhost:9000
+}
+
+uptime.sauravdhakal.com.np {
+    bind 100.81.85.182
+    reverse_proxy localhost:3001
+}
+
+# -----------------------------------------------
+# Gitea — PUBLIC WEB UI
+# Gitea's built-in auth handles write restrictions
+# -----------------------------------------------
+
+gitea.sauravdhakal.com.np {
+    # Allow public access (no bind = all interfaces)
+
+    # Security headers
+    header {
+        X-Content-Type-Options nosniff
+        X-Frame-Options DENY
+        Referrer-Policy strict-origin-when-cross-origin
+    }
+
+    reverse_proxy localhost:3000 {
+        header_up X-Real-IP {remote_host}
+        header_up X-Forwarded-For {remote_host}
+    }
+}
+
+# Woodpecker CI — VPN only
+ci.sauravdhakal.com.np {
+    bind 100.81.85.182
+    reverse_proxy localhost:8000
+}
+
+# Your site — public, with caching
+sauravdhakal.com.np, www.sauravdhakal.com.np {
+    root * /home/saurav/site/public
+
+    header /static/* Cache-Control "public, max-age=31536000, immutable"  # assets forever
+    header /assets/* Cache-Control "public, max-age=31536000, immutable"  # assets forever
+
+    # This is where you learn caching
+    header Cache-Control "public, max-age=3600"        # cache 1 hour by default
+
+    file_server
+    encode gzip
+}
+
+memos.sauravdhakal.com.np {
+    bind 100.81.85.182
+    reverse_proxy localhost:5230
+}
+
+dozzle.sauravdhakal.com.np {
+    bind 100.81.85.182
+    reverse_proxy localhost:8888
+}
+
+docs.sauravdhakal.com.np {
+    bind 100.81.85.182
+    reverse_proxy localhost:3030
+}
+#
+# glances.sauravdhakal.com.np {
+#     bind 100.81.85.182
+#     reverse_proxy localhost:61208
+# }

docker-compose.yml

@@ -3,6 +3,16 @@ include:
   - services/vaultwarden.yml
   - services/actual.yml
   - services/immich.yml
+  - services/filebrowser.yml
+  - services/syncthing.yml
+  - services/n8n.yml
+  - services/portainer.yml
+  # - services/watchtower.yml
+  - services/uptime-kuma.yml
+  - services/woodpecker.yml
+  - services/gitea.yml
+  - services/memos.yml
+  - services/docmost.yml
 
 networks:
   caddy_net:

services/caddy.yml

@@ -8,6 +8,7 @@ services:
       - ../caddy/Caddyfile:/etc/caddy/Caddyfile
       - ../caddy/data:/data
       - ../caddy/config:/config
+      - /home/saurav/site/public:/home/saurav/site/public:ro  # Mount your portfolio site (read-only)
     network_mode: host          # Caddy sees ALL host interfaces including Netbird
 
 networks:

services/docmost.yml

@@ -0,0 +1,44 @@
+services:
+  docmost:
+    image: docmost/docmost:latest
+    depends_on:
+      - docmost_db
+      - docmost_redis
+    environment:
+      - APP_URL=https://docs.sauravdhakal.com.np
+      - APP_SECRET=${DOCMOST_APP_SECRET}
+      - DATABASE_URL=postgresql://docmost:${DOCMOST_DB_PASSWORD}@docmost_db:5432/docmost
+      - REDIS_URL=redis://docmost_redis:6379
+    ports:
+      - "127.0.0.1:3030:3000"
+    restart: unless-stopped
+    volumes:
+      - /home/saurav/hetzner_self/data/docmost/storage:/app/data/storage
+    networks:
+      - docmost_internal
+
+
+  docmost_db:
+    image: postgres:18
+    environment:
+      - POSTGRES_DB=docmost
+      - POSTGRES_USER=docmost
+      - POSTGRES_PASSWORD=${DOCMOST_DB_PASSWORD}
+    restart: unless-stopped
+    volumes:
+      - /home/saurav/hetzner_self/data/docmost/db:/var/lib/postgresql
+    networks:
+      - docmost_internal
+
+  docmost_redis:
+    image: redis:8-alpine
+    command: ["redis-server", "--appendonly", "yes", "--maxmemory-policy", "noeviction"]
+    restart: unless-stopped
+    volumes:
+      - /home/saurav/hetzner_self/data/docmost/redis:/data
+    networks:
+      - docmost_internal
+
+networks:
+  docmost_internal:
+    driver: bridge

services/filebrowser.yml

@@ -0,0 +1,13 @@
+services:
+  filebrowser:
+    image: filebrowser/filebrowser:latest
+    restart: unless-stopped
+    user: "1000:1000"
+    ports:
+      - "127.0.0.1:8083:8080"
+    command: --address 0.0.0.0 --port 8080 --database /filebrowser.db --root /srv
+    volumes:
+      - /home/saurav:/srv
+      - /home/saurav/cloud:/srv/cloud
+      - /home/saurav/hetzner_self/filebrowser/filebrowser.db:/filebrowser.db
+      - /home/saurav/hetzner_self/filebrowser/settings.json:/config/settings.json

services/gitea.yml

@@ -0,0 +1,24 @@
+services:
+  gitea:
+    image: gitea/gitea:latest
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:3000:3000"
+      - "2222:22"               # git ssh — different port to avoid conflict
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+      - GITEA__database__DB_TYPE=sqlite3
+      - GITEA__database__PATH=/data/gitea/gitea.db
+      - GITEA__server__DOMAIN=gitea.sauravdhakal.com.np
+      - GITEA__server__ROOT_URL=https://gitea.sauravdhakal.com.np
+      - GITEA__server__SSH_DOMAIN=gitea.sauravdhakal.com.np
+      - GITEA__server__SSH_PORT=2222
+      # Allow public access but disable registration
+      - GITEA__service__DISABLE_REGISTRATION=true
+      # Require login to push (read is public)
+      - GITEA__repository__DISABLE_HTTP_GIT=false
+      - GITEA__security__INSTALL_LOCK=true
+    volumes:
+      - /home/saurav/hetzner_self/data/gitea:/data
+

services/memos.yml

@@ -0,0 +1,9 @@
+services:
+  memos:
+    image: neosmemo/memos:stable
+    restart: unless-stopped
+    user: "1000:1000"
+    ports:
+      - "127.0.0.1:5230:5230"
+    volumes:
+      - /home/saurav/hetzner_self/data/memos:/var/opt/memos

services/n8n.yml

@@ -0,0 +1,17 @@
+services:
+  n8n:
+    image: n8nio/n8n:latest
+    restart: unless-stopped
+    user: "node"
+    ports:
+      - "127.0.0.1:5678:5678"
+    environment:
+      - N8N_HOST=n8n.sauravdhakal.com.np
+      - N8N_PORT=5678
+      - N8N_PROTOCOL=https
+      - WEBHOOK_URL=https://n8n.sauravdhakal.com.np
+      - N8N_EDITOR_BASE_URL=https://n8n-admin.sauravdhakal.com.np
+      - GENERIC_TIMEZONE=Asia/Kathmandu
+      - N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}
+    volumes:
+      - /home/saurav/hetzner_self/data/n8n:/home/node/.n8n

services/portainer.yml

@@ -0,0 +1,9 @@
+services:
+  portainer:
+    image: portainer/portainer-ce:latest
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:9000:9000"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock    # needs docker socket
+      - /home/saurav/hetzner_self/data/portainer:/data

services/syncthing.yml

@@ -0,0 +1,16 @@
+services:
+  syncthing:
+    image: syncthing/syncthing:latest
+    restart: unless-stopped
+    user: "1000:1000"
+    ports:
+      - "127.0.0.1:8384:8384"    # web UI — VPN only via Caddy
+      - "22000:22000/tcp"         # sync protocol — needs to be public
+      - "22000:22000/udp"
+      - "21027:21027/udp"         # discovery
+    environment:
+      - PUID=1000
+      - PGID=1000
+    volumes:
+      - /home/saurav/hetzner_self/data/syncthing:/var/syncthing
+      # NOTE: - /home/saurav/cloud:/sync/cloud    # sync your cloud folder

services/uptime-kuma.yml

@@ -0,0 +1,9 @@
+services:
+  uptime-kuma:
+    image: louislam/uptime-kuma:latest
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:3001:3001"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock  
+      - /home/saurav/hetzner_self/data/uptime-kuma:/app/data

services/watchtower.yml

@@ -0,0 +1,16 @@
+services:
+  watchtower:
+    image: containrrr/watchtower:latest
+    restart: unless-stopped
+    environment:
+      - WATCHTOWER_NOTIFICATIONS=email
+      - WATCHTOWER_NOTIFICATION_EMAIL_FROM=${WATCHTOWER_EMAIL_FROM}
+      - WATCHTOWER_NOTIFICATION_EMAIL_TO=${WATCHTOWER_EMAIL_TO}
+      - WATCHTOWER_NOTIFICATION_EMAIL_SERVER=smtp.gmail.com
+      - WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT=587
+      - WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER=${WATCHTOWER_EMAIL_USER}
+      - WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD=${WATCHTOWER_EMAIL_PASSWORD}
+      - WATCHTOWER_MONITOR_ONLY=true       # notify only, no auto updates
+      - WATCHTOWER_SCHEDULE=0 0 8 * * *   # check every day at 8am
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock

services/woodpecker.yml

@@ -0,0 +1,38 @@
+services:
+  woodpecker-server:
+    image: woodpeckerci/woodpecker-server:v3
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:8000:8000"
+      - "127.0.0.1:9001:9000"        # changed to 9001
+    environment:
+      - WOODPECKER_OPEN=false
+      - WOODPECKER_ADMIN=saurav12          # your Gitea username
+      - WOODPECKER_GITEA=true
+      - WOODPECKER_GITEA_URL=https://gitea.sauravdhakal.com.np
+      - WOODPECKER_GITEA_CLIENT=${WOODPECKER_GITEA_CLIENT}
+      - WOODPECKER_GITEA_SECRET=${WOODPECKER_GITEA_SECRET}
+      - WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET}
+      - WOODPECKER_HOST=https://ci.sauravdhakal.com.np
+    volumes:
+      - /home/saurav/hetzner_self/data/woodpecker:/var/lib/woodpecker
+    networks:
+      - woodpecker_internal
+
+  woodpecker-agent:
+    image: woodpeckerci/woodpecker-agent:v3
+    restart: unless-stopped
+    environment:
+      - WOODPECKER_SERVER=woodpecker-server:9000
+      - WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET}
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /home/saurav/hetzner_self/data/woodpecker-agent:/etc/woodpecker
+    networks:
+      - woodpecker_internal
+    depends_on:
+      - woodpecker-server
+
+networks:
+  woodpecker_internal:
+    driver: bridge