Merge branch 'master' into update-readme

.gitignore

@@ -1 +1,2 @@
 node_modules/
+package-lock.json

README.md

@@ -48,7 +48,7 @@ This is the official repository for the Tipi App Store. It contains all the apps
 - [Syncthing](https://github.com/syncthing/syncthing) - Continuous File Synchronization
 - [Tailscale](https://github.com/tailscale/tailscale) - The easiest, most secure way to use WireGuard and 2FA
 - [Tautulli](https://github.com/Tautulli/Tautulli) - A Python based monitoring and tracking tool for Plex Media Server
-- [teddit](https://codeberg.org/teddit/teddit) - alternative Reddit front-end focused on privacy
+- [Teddit](https://codeberg.org/teddit/teddit) - Alternative Reddit front-end focused on privacy https://teddit.net
 - [Transmission](https://github.com/transmission/transmission) - Fast, easy, and free BitTorrent client
 - [Tube Archivist](https://github.com/tubearchivist/tubearchivist) - Your self-hosted YouTube media server
 - [Uptime Kuma](https://github.com/louislam/uptime-kuma) - A fancy self-hosted monitoring tool

apps/jellyfin/config.json

@@ -2,10 +2,11 @@
   "$schema": "../schema.json",
   "name": "Jellyfin",
   "available": true,
+  "exposable": true,
   "port": 8091,
   "id": "jellyfin",
-  "tipi_version": 1,
-  "version": "10.8.1",
+  "tipi_version": 2,
+  "version": "10.8.4",
   "categories": ["media"],
   "description": "Jellyfin is a Free Software Media System that puts you in control of managing and streaming your media. It is an alternative to the proprietary Emby and Plex, to provide media from a dedicated server to end-user devices via multiple apps. Jellyfin is descended from Emby's 3.5.2 release and ported to the .NET Core framework to enable full cross-platform support. There are no strings attached, no premium licenses or features, and no hidden agendas: just a team who want to build something better and work together to achieve it. We welcome anyone who is interested in joining us in our quest!",
   "short_desc": "A media server for your home collection",

apps/jellyfin/docker-compose.yml

@@ -1,8 +1,7 @@
 version: "3.7"
-
 services:
   jellyfin:
-    image: lscr.io/linuxserver/jellyfin:10.8.1
+    image: lscr.io/linuxserver/jellyfin:10.8.4
     container_name: jellyfin
     volumes:
       - ${APP_DATA_DIR}/data/config:/config
@@ -11,8 +10,32 @@ services:
       - PUID=1000
       - PGID=1000
       - TZ=${TZ}
+      - JELLYFIN_PublishedServerUrl=${APP_PROTOCOL:-http}://${APP_DOMAIN}/
     restart: "unless-stopped"
     ports:
       - ${APP_PORT}:8096
     networks:
       - tipi_main_network
+    labels:
+      traefik.enable: ${APP_EXPOSED}
+      traefik.http.middlewares.jellyfin-mw.headers.SSLForceHost: true
+      traefik.http.middlewares.jellyfin-mw.headers.SSLHost: ${APP_DOMAIN}
+      traefik.http.middlewares.jellyfin-mw.headers.SSLRedirect: true
+      traefik.http.middlewares.jellyfin-mw.headers.STSIncludeSubdomains: true
+      traefik.http.middlewares.jellyfin-mw.headers.STSPreload: true
+      traefik.http.middlewares.jellyfin-mw.headers.STSSeconds: 315360000
+      traefik.http.middlewares.jellyfin-mw.headers.browserXSSFilter: true
+      traefik.http.middlewares.jellyfin-mw.headers.contentTypeNosniff: true
+      traefik.http.middlewares.jellyfin-mw.headers.customFrameOptionsValue: 'allow-from https://${DOMAIN}'
+      traefik.http.middlewares.jellyfin-mw.headers.customResponseHeaders.X-Robots-Tag: noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex
+      traefik.http.middlewares.jellyfin-mw.headers.forceSTSHeader: true
+      traefik.http.middlewares.jellyfin-mw.headers.frameDeny: true
+      traefik.http.routers.jellyfin.entryPoints: websecure
+      traefik.http.routers.jellyfin.middlewares: jellyfin-mw
+      traefik.http.routers.jellyfin.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.jellyfin.service: jellyfin-svc
+      traefik.http.routers.jellyfin.tls: true
+      traefik.http.routers.jellyfin.tls.certresolver: myresolver
+      traefik.http.routers.jellyfin.tls.domains: ${APP_DOMAIN}
+      traefik.http.services.jellyfin-svc.loadBalancer.passHostHeader: true
+      traefik.http.services.jellyfin-svc.loadBalancer.server.port: 8096

apps/joplin/config.json

@@ -2,9 +2,10 @@
   "$schema": "../schema.json",
   "name": "Joplin Server",
   "available": true,
+  "exposable": true,
   "port": 8099,
   "id": "joplin",
-  "tipi_version": 1,
+  "tipi_version": 2,
   "version": "2.7.4",
   "categories": ["utilities"],
   "description": "Default credentials: admin@localhost / admin",
@@ -12,5 +13,14 @@
   "author": "https://github.com/laurent22",
   "source": "https://github.com/laurent22/joplin",
   "website": "https://joplinapp.org",
-  "form_fields": []
+  "form_fields": [
+    {
+      "type": "random",
+      "label": "Joplin DB password",
+      "max": 50,
+      "min": 8,
+      "required": true,
+      "env_variable": "JOPLIN_DB_PASSWORD"
+    }
+  ]
 }

apps/joplin/docker-compose.yml

@@ -8,7 +8,7 @@ services:
       - ${APP_DATA_DIR}/data/postgres:/var/lib/postgresql/data
     restart: unless-stopped
     environment:
-      - POSTGRES_PASSWORD=tipi
+      - POSTGRES_PASSWORD=${JOPLIN_DB_PASSWORD}
       - POSTGRES_USER=tipi
       - POSTGRES_DB=joplin
     networks:
@@ -26,9 +26,9 @@ services:
       - ${DNS_IP}
     environment:
       - APP_PORT=22300
-      - APP_BASE_URL=http://${INTERNAL_IP}:${APP_PORT}
+      - APP_BASE_URL=${APP_PROTOCOL:-http}://${APP_DOMAIN}/
       - DB_CLIENT=pg
-      - POSTGRES_PASSWORD=tipi
+      - POSTGRES_PASSWORD=${JOPLIN_DB_PASSWORD}
       - POSTGRES_USER=tipi
       - POSTGRES_DATABASE=joplin
       - POSTGRES_PORT=5432
@@ -36,3 +36,13 @@ services:
       - MAX_TIME_DRIFT=0
     networks:
       - tipi_main_network
+    labels:
+      traefik.enable: ${APP_EXPOSED}
+      traefik.http.routers.joplin.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.joplin.entrypoints: websecure
+      traefik.http.routers.joplin.service: joplin
+      traefik.http.routers.joplin.tls.certresolver: myresolver
+      traefik.http.services.joplin.loadbalancer.server.port: 22300
+      traefik.http.services.joplin.loadbalancer.passhostheader: true
+      traefik.http.middlewares.joplin-sslheader.headers.customrequestheaders.X-Forwarded-Proto: http
+      traefik.http.routers.joplin-sslheader.middlewares: joplin-sslheader@docker

apps/libretranslate/config.json

@@ -0,0 +1,16 @@
+{
+  "$schema": "../schema.json",
+  "name": "LibreTranslate",
+  "available": true,
+  "exposable": true,
+  "port": 8121,
+  "id": "libretranslate",
+  "tipi_version": 1,
+  "version": "v1.2.9",
+  "categories": ["utilities"],
+  "description": "Free and Open Source Machine Translation API, entirely self-hosted. Unlike other APIs, it doesn't rely on proprietary providers such as Google or Azure to perform translations. Instead, its translation engine is powered by the open source Argos Translate library.",
+  "short_desc": "Free and Open Source Machine Translation API. 100% self-hosted, offline capable and easy to setup.",
+  "author": "LibreTranslate",
+  "source": "https://github.com/LibreTranslate/LibreTranslate",
+  "form_fields": []
+}

apps/libretranslate/docker-compose.yml

@@ -0,0 +1,20 @@
+version: "3.7"
+services:
+  libretranslate:
+    container_name: libretranslate
+    image: libretranslate/libretranslate:v1.2.9
+    dns:
+      - ${DNS_IP}
+    ports:
+      - ${APP_PORT}:5000
+    restart: unless-stopped
+    networks:
+      - tipi_main_network
+    labels:
+      traefik.enable: ${APP_EXPOSED}
+      traefik.http.routers.libretranslate.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.libretranslate.entrypoints: websecure
+      traefik.http.routers.libretranslate.service: libretranslate
+      traefik.http.routers.libretranslate.tls.certresolver: myresolver
+      traefik.http.services.libretranslate.loadbalancer.server.port: 5000
+

apps/libretranslate/metadata/description.md

@@ -0,0 +1,7 @@
+# LibreTranslate
+
+[Try it online!](https://libretranslate.com) | [API Docs](https://libretranslate.com/docs) | [Community Forum](https://community.libretranslate.com/)
+
+Free and Open Source Machine Translation API, entirely self-hosted. Unlike other APIs, it doesn't rely on proprietary providers such as Google or Azure to perform translations. Instead, its translation engine is powered by the open source [Argos Translate](https://github.com/argosopentech/argos-translate) library.
+
+![image](https://user-images.githubusercontent.com/64697405/139015751-279f31ac-36f1-4950-9ea7-87e76bf65f51.png)

apps/monerod/config.json

@@ -0,0 +1,16 @@
+{
+  "$schema": "../schema.json",
+  "name": "Monero Daemon",
+  "available": true,
+  "exposable": true,
+  "port": 18080,
+  "id": "monerod",
+  "tipi_version": 1,
+  "version": "latest",
+  "categories": ["finance"],
+  "description": "A device on the Internet running the Monero software, with a full copy of the Monero blockchain, actively assisting the Monero network. This is a simple and straightforward Dockerized monerod built from source and exposing standard ports. Please note that running this requires >50GB of free disk space and is best run on solid-state (SSD) storage.",
+  "short_desc": "Monero is a private, decentralized cryptocurrency that keeps your finances confidential and secure.",
+  "author": "sethforprivacy",
+  "source": "https://github.com/sethforprivacy/simple-monerod-docker",
+  "form_fields": []
+}

apps/monerod/docker-compose.yml

@@ -0,0 +1,29 @@
+version: "3.7"
+services:
+  monerod:
+    image: sethsimmons/simple-monerod:latest
+    dns:
+      - ${DNS_IP}
+    ports:
+      - ${APP_PORT}:18080
+    restart: unless-stopped
+    networks:
+      - tipi_main_network
+    container_name: monerod
+    volumes:
+      - ${APP_DATA_DIR}/data:/home/monero/.bitmonero
+    command: >-
+      --rpc-restricted-bind-ip=0.0.0.0
+      --rpc-restricted-bind-port=18089
+      --public-node
+      --no-igd
+      --enable-dns-blocklist
+      --prune-blockchain
+      --zmq-pub=tcp://0.0.0.0:18083
+    labels:
+      traefik.enable: ${APP_EXPOSED}
+      traefik.http.routers.monerod.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.monerod.entrypoints: websecure
+      traefik.http.routers.monerod.service: monerod
+      traefik.http.routers.monerod.tls.certresolver: myresolver
+      traefik.http.services.monerod.loadbalancer.server.port: 18089

apps/monerod/metadata/description.md

@@ -0,0 +1,20 @@
+# The Monero network daemon
+
+Monero is a private, decentralized cryptocurrency that keeps your finances confidential and secure.
+
+## Required hardware
+  
+- 2+ vCPUs/cores
+- 4GB+ RAM
+- 75GB+ SSD
+
+## Why run your own Monero node?
+
+The Monero network relies on a distributed web of Monero nodes, each of which validate transactions, propagate transactions to the rest of the network, and helps new nodes easily and quickly synchronize to the current state of the network.
+
+Running a Monero node for yourself not only helps to give you the stronger network-level privacy guarantees, but also helps to increase the decentralization, stability, and speed of the Monero network.
+
+Each node can expose two different services, each of which has a positive impact on the network in a unique way:
+
+- Peer-to-Peer (p2p) port (default 18080): this port allows other nodes on the network to connect to your node to download the blockchain and to send you any transactions they validate that you do not yet have. It also increases overall network privacy, as your node participates in the [Dandelion++](https://www.monerooutreach.org/stories/dandelion.html) propagation of transactions.
+- Remote Procedure Call (RPC) port (default 18089 for restricted): Exposing this port (especially with the `public-node` arg) allows other users on the network, especially those using mobile wallets or the GUI wallet in "Simple" mode, to connect to your node to sync their wallets, without needing to run their own full node locally.

apps/nextcloud/config.json

@@ -5,7 +5,7 @@
   "exposable": true,
   "port": 8083,
   "id": "nextcloud",
-  "tipi_version": 2,
+  "tipi_version": 4,
   "version": "24.0.4",
   "categories": ["data"],
   "description": "Nextcloud is a self-hosted, open source, and fully-featured cloud storage solution for your personal files, office documents, and photos.",
@@ -25,7 +25,7 @@
       "type": "password",
       "label": "Password",
       "max": 50,
-      "min": 3,
+      "min": 10,
       "required": true,
       "env_variable": "NEXTCLOUD_ADMIN_PASSWORD"
     }

apps/nextcloud/docker-compose.yml

@@ -52,7 +52,10 @@ services:
       - POSTGRES_DB=nextcloud
       - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}
       - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD}
-      - NEXTCLOUD_TRUSTED_DOMAINS=${INTERNAL_IP}:${APP_PORT} ${APP_DOMAIN}
+      - NEXTCLOUD_TRUSTED_DOMAINS=${APP_DOMAIN}
+      - TRUSTED_PROXIES=172.16.0.0/12
+      - OVERWRITEHOST=${APP_DOMAIN}
+      - OVERWRITEPROTOCOL=${APP_PROTOCOL:-http}
     depends_on:
       - db-nextcloud
       - redis-nextcloud
@@ -65,4 +68,15 @@ services:
       traefik.http.routers.nextcloud.service: nextcloud
       traefik.http.routers.nextcloud.tls.certresolver: myresolver
       traefik.http.services.nextcloud.loadbalancer.server.port: 80
-
+      traefik.http.middlewares.nextcloud.headers.browserXSSFilter: true
+      traefik.http.middlewares.nextcloud.headers.contentTypeNosniff: true
+      traefik.http.middlewares.nextcloud.headers.stsIncludeSubdomains: true
+      traefik.http.middlewares.nextcloud.headers.stsPreload: true
+      traefik.http.middlewares.nextcloud.headers.stsSeconds: 155520011
+      traefik.http.middlewares.nextcloud_redirect.redirectregex.permanent: true
+      traefik.http.middlewares.nextcloud_redirect.redirectregex.regex: https://(.*)/.well-known/(card|cal)dav
+      traefik.http.middlewares.nextcloud_redirect.redirectregex.replacement: https://$${1}/remote.php/dav/
+      traefik.http.routers.nextcloud.middlewares: nextcloud,nextcloud_redirect,nextcloud-https
+      traefik.http.middlewares.nextcloud.headers.customRequestHeaders.X-Forwarded-Proto: https
+      traefik.http.middlewares.nextcloud-https.redirectscheme.scheme: https
+      traefik.http.routers.nextcloud-http.middlewares: nextcloud-https@docker

apps/nextcloud/metadata/description.md

@@ -26,4 +26,12 @@ Enterprise? Public Sector or Education user? You may want to have a look into [*
 
 You can also [get support for Nextcloud](https://nextcloud.com/support)!
 
+## Reset password
+Nextcloud does not support password resets from environment variables. If you want to change your password run the following commands in your terminal:
+    
+```bash
+sudo docker exec -u www-data -it nextcloud /bin/bash
+php occ user:resetpassword username
+```
+
 ![](https://raw.githubusercontent.com/nextcloud/screenshots/master/files/Files%20Sharing.png)

apps/nitter/config.json

@@ -2,9 +2,10 @@
   "$schema": "../schema.json",
   "name": "Nitter",
   "available": true,
+  "exposable": true,
   "port": 8106,
   "id": "nitter",
-  "tipi_version": 1,
+  "tipi_version": 2,
   "version": "latest",
   "categories": ["social"],
   "description": "A free and open source alternative Twitter front-end focused on privacy and performance.",

apps/nitter/docker-compose.yml

@@ -13,8 +13,20 @@ services:
     depends_on:
       - nitter-redis
     restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "wget" ,"--no-verbose", "--tries=1", "--spider", "http://localhost:8080"]
+      interval: 1m
+      timeout: 3s
+    labels:
+      traefik.enable: ${APP_EXPOSED}
+      traefik.http.routers.nitter.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.nitter.entrypoints: websecure
+      traefik.http.routers.nitter.service: nitter
+      traefik.http.routers.nitter.tls.certresolver: myresolver
+      traefik.http.services.nitter.loadbalancer.server.port: 8080
+
   nitter-redis:
-    image: redis:6-alpine
+    image: redis:alpine
     container_name: nitter-redis
     networks:
       - tipi_main_network

apps/photoprism/config.json

@@ -3,8 +3,9 @@
   "name": "PhotoPrism",
   "port": 8110,
   "available": true,
+  "exposable": true,
   "id": "photoprism",
-  "tipi_version": 1,
+  "tipi_version": 2,
   "version": "latest",
   "categories": ["photography"],
   "description": "PhotoPrism® is an AI-Powered Photos App for the Decentralized Web. It makes use of the latest technologies to tag and find pictures automatically without getting in your way. You can run it at home, on a private server, or in the cloud. Default username: admin",
@@ -19,6 +20,16 @@
       "min": 8,
       "required": true,
       "env_variable": "PHOTOPRISM_ADMIN_PASSWORD"
+    },
+    {
+      "type": "random",
+      "label": "Photoprism DB password",
+      "env_variable": "DB_PASSWORD"
+    },
+    {
+      "type": "random",
+      "label": "Photoprism root DB password",
+      "env_variable": "DB_ROOT_PASSWORD"
     }
   ]
 }

apps/photoprism/docker-compose.yml

@@ -1,5 +1,4 @@
 version: "3.7"
-
 services:
   photoprism:
     # TODO: Special image for arm/v7 is available
@@ -12,7 +11,7 @@ services:
       - "${APP_PORT}:2342"
     environment:
       PHOTOPRISM_ADMIN_PASSWORD: ${PHOTOPRISM_ADMIN_PASSWORD}
-      PHOTOPRISM_SITE_URL: "http://localhost:2342/"
+      PHOTOPRISM_SITE_URL: "${APP_PROTOCOL:-http}://${APP_DOMAIN}/"
       PHOTOPRISM_ORIGINALS_LIMIT: 5000
       PHOTOPRISM_HTTP_COMPRESSION: "gzip"
       PHOTOPRISM_LOG_LEVEL: "info"
@@ -34,7 +33,7 @@ services:
       PHOTOPRISM_DATABASE_SERVER: "photoprism-db:3306"
       PHOTOPRISM_DATABASE_NAME: "photoprism"
       PHOTOPRISM_DATABASE_USER: "photoprism"
-      PHOTOPRISM_DATABASE_PASSWORD: "photoprism"
+      PHOTOPRISM_DATABASE_PASSWORD: "${DB_PASSWORD}"
       PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
     working_dir: "/photoprism"
     volumes:
@@ -42,10 +41,17 @@ services:
       - "${APP_DATA_DIR}/data/photoprism/storage:/photoprism/storage"
     networks:
       - tipi_main_network
+    labels:
+      traefik.enable: ${APP_EXPOSED}
+      traefik.http.routers.photoprism.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.photoprism.entrypoints: websecure
+      traefik.http.routers.photoprism.service: photoprism
+      traefik.http.routers.photoprism.tls.certresolver: myresolver
+      traefik.http.services.photoprism.loadbalancer.server.port: 2342
 
   photoprism-db:
     restart: unless-stopped
-    image: mariadb:10.8.3
+    image: mariadb:10.8
     container_name: photoprism-db
     command: mysqld --innodb-buffer-pool-size=128M --transaction-isolation=READ-COMMITTED --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --max-connections=512 --innodb-rollback-on-timeout=OFF --innodb-lock-wait-timeout=120
     volumes:
@@ -53,7 +59,7 @@ services:
     environment:
       MARIADB_DATABASE: "photoprism"
       MARIADB_USER: "photoprism"
-      MARIADB_PASSWORD: "photoprism"
-      MARIADB_ROOT_PASSWORD: "photoprism"
+      MARIADB_PASSWORD: "${DB_PASSWORD}"
+      MARIADB_ROOT_PASSWORD: "${DB_ROOT_PASSWORD}"
     networks:
       - tipi_main_network

apps/plex/config.json

@@ -5,8 +5,8 @@
   "exposable": true,
   "port": 32400,
   "id": "plex",
-  "tipi_version": 4,
-  "version": "1.28.1",
+  "tipi_version": 5,
+  "version": "1.28.2",
   "url_suffix": "/web",
   "categories": ["media"],
   "description": "",

apps/plex/docker-compose.yml

@@ -2,15 +2,17 @@ version: "3.7"
 
 services:
   plex:
-    image: lscr.io/linuxserver/plex:1.28.1
+    image: lscr.io/linuxserver/plex:1.28.2
     container_name: plex
     network_mode: host
     environment:
       - PUID=1000
       - PGID=1000
       - VERSION=docker
+      - ADVERTISE_IP=${APP_PROTOCOL:-http}://${APP_DOMAIN}/
     volumes:
       - ${APP_DATA_DIR}/data/config:/config
+      - ${APP_DATA_DIR}/data/transcode:/transcode
       - ${ROOT_FOLDER_HOST}/media/data:/media
     restart: unless-stopped
     labels:

apps/privatebin/config.json

@@ -0,0 +1,16 @@
+{
+  "$schema": "../schema.json",
+  "name": "PrivateBin",
+  "available": true,
+  "exposable": true,
+  "port": 8122,
+  "id": "privatebin",
+  "tipi_version": 1,
+  "version": "1.4.0",
+  "categories": ["utilities"],
+  "description": "PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted and decrypted in the browser using 256bit AES in Galois Counter mode.",
+  "short_desc": "A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES.",
+  "author": "PrivateBin",
+  "source": "https://github.com/PrivateBin/PrivateBin",
+  "form_fields": []
+}

apps/privatebin/docker-compose.yml

@@ -0,0 +1,21 @@
+version: "3.7"
+services:
+  privatebin:
+    image: privatebin/nginx-fpm-alpine:1.4.0
+    container_name: privatebin
+    dns:
+      - ${DNS_IP}
+    ports:
+      - ${APP_PORT}:8080
+    restart: unless-stopped
+    networks:
+      - tipi_main_network
+    volumes:
+      - ${APP_DATA_DIR}/data:/srv/data
+    labels:
+      traefik.enable: ${APP_EXPOSED}
+      traefik.http.routers.privatebin.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.privatebin.entrypoints: websecure
+      traefik.http.routers.privatebin.service: privatebin
+      traefik.http.routers.privatebin.tls.certresolver: myresolver
+      traefik.http.services.privatebin.loadbalancer.server.port: 8080

apps/privatebin/metadata/description.md

@@ -0,0 +1,61 @@
+# [![PrivateBin](https://cdn.rawgit.com/PrivateBin/assets/master/images/preview/logoSmall.png)](https://privatebin.info/)
+
+**PrivateBin** is a minimalist, open source online
+[pastebin](https://en.wikipedia.org/wiki/Pastebin)
+where the server has zero knowledge of pasted data.
+
+Data is encrypted and decrypted in the browser using 256bit AES in
+[Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode).
+
+This is a fork of ZeroBin, originally developed by
+[Sébastien Sauvage](https://github.com/sebsauvage/ZeroBin). PrivateBin was
+refactored to allow easier and cleaner extensions and has many additional
+features. It is, however, still fully compatible to the original ZeroBin 0.19
+data storage scheme. Therefore, such installations can be upgraded to PrivateBin
+without losing any data.
+
+## What PrivateBin provides
+
++ As a server administrator you don't have to worry if your users post content
+  that is considered illegal in your country. You have plausible deniability of
+  any of the pastes content. If requested or enforced, you can delete any paste
+  from your system.
+
++ Pastebin-like system to store text documents, code samples, etc.
+
++ Encryption of data sent to server.
+
++ Possibility to set a password which is required to read the paste. It further
+  protects a paste and prevents people stumbling upon your paste's link
+  from being able to read it without the password.
+
+## What it doesn't provide
+
+- As a user you have to trust the server administrator not to inject any
+  malicious code. For security, a PrivateBin installation *has to be used over*
+  *HTTPS*! Otherwise you would also have to trust your internet provider, and
+  any jurisdiction the traffic passes through. Additionally the instance should
+  be secured by
+  [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). It can
+  use traditional certificate authorities and/or use a
+  [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions)
+  protected
+  [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities)
+  record.
+
+- The "key" used to encrypt the paste is part of the URL. If you publicly post
+  the URL of a paste that is not password-protected, anyone can read it.
+  Use a password if you want your paste to remain private. In that case, make
+  sure to use a strong password and share it privately and end-to-end-encrypted.
+
+- A server admin can be forced to hand over access logs to the authorities.
+  PrivateBin encrypts your text and the discussion contents, but who accessed a
+  paste (first) might still be disclosed via access logs.
+
+- In case of a server breach your data is secure as it is only stored encrypted
+  on the server. However, the server could be absused or the server admin could
+  be legally forced into sending malicious code to their users, which logs
+  the decryption key and sends it to a server when a user accesses a paste.
+  Therefore, do not access any PrivateBin instance if you think it has been
+  compromised. As long as no user accesses this instance with a previously
+  generated URL, the content can't be decrypted.

apps/searxng/config.json

@@ -0,0 +1,23 @@
+{
+  "$schema": "../schema.json",
+  "name": "SearXNG",
+  "available": true,
+  "exposable": true,
+  "port": 8127,
+  "id": "searxng",
+  "tipi_version": 1,
+  "version": "latest",
+  "categories": ["social"],
+  "description": "SearXNG is a free internet metasearch engine which aggregates results from various search services and databases. Users are neither tracked nor profiled.",
+  "short_desc": "Privacy-respecting, hackable metasearch engine",
+  "author": "searxng",
+  "source": "https://github.com/searxng/searxng",
+  "form_fields": [
+    {
+      "type": "random",
+      "label": "SearXNG Secret Key",
+      "min": 32,
+      "env_variable": "SEARXNG_SECRET_KEY"
+    }
+  ]
+}

apps/searxng/docker-compose.yml

@@ -0,0 +1,24 @@
+version: "3.7"
+
+services:
+  searxng:
+    container_name: searxng
+    image: searxng/searxng:latest
+    restart: unless-stopped
+    networks:
+      - tipi_main_network
+    volumes:
+      - "${APP_DATA_DIR}/data:/etc/searxng"
+    ports:
+      - ${APP_PORT}:8080
+    environment:
+      - BIND_ADDRESS=0.0.0.0:8080
+      - BASE_URL=${APP_PROTOCOL:-http}://${APP_DOMAIN}/
+      - SECRET_KEY=${SEARXNG_SECRET_KEY}
+    labels:
+      traefik.enable: ${APP_EXPOSED}
+      traefik.http.routers.searxng.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.searxng.entrypoints: websecure
+      traefik.http.routers.searxng.service: searxng
+      traefik.http.routers.searxng.tls.certresolver: myresolver
+      traefik.http.services.searxng.loadbalancer.server.port: 8080

apps/searxng/metadata/description.md

@@ -0,0 +1,21 @@
+## Privacy-respecting, hackable metasearch engine
+
+SearXNG is a free internet metasearch engine which aggregates results from more than 70 search services. Users are neither tracked nor profiled. Additionally, SearXNG can be used over Tor for online anonymity.
+
+### Differences to searx
+
+SearXNG is a fork of searx. Here are some of the changes:
+
+- User experience
+- Huge update of the simple theme:
+  - usable on desktop, tablet and mobile
+  - light and dark versions (you can choose in the preferences)
+  - support right-to-left languages
+- the translations are up to date, you can contribute on Weblate
+- the preferences page has been updated:
+  - you can see which engines are reliable or not
+  - engines are grouped inside each tab
+  - each engine has a description
+- thanks to the anonymous metrics, it is easier to report a bug of an engine and thus engines get fixed more quickly
+  - if you don't want any metrics to be recorded, you can disable them on the server
+- administrator can block and/or replace the URLs in the search results

apps/send/config.json

@@ -0,0 +1,16 @@
+{
+  "$schema": "../schema.json",
+  "name": "Send",
+  "available": true,
+  "exposable": true,
+  "port": 8126,
+  "id": "send",
+  "tipi_version": 1,
+  "version": "latest",
+  "categories": ["utilities"],
+  "description": "A file sharing experiment which allows you to send encrypted files to other users.",
+  "short_desc": "Simple, private file sharing. https://send.vis.ee/",
+  "author": "timvisee",
+  "source": "https://gitlab.com/timvisee/send",
+  "form_fields": []
+}

apps/send/docker-compose.yml

@@ -0,0 +1,46 @@
+version: "3.7"
+services:
+  send:
+    image: registry.gitlab.com/timvisee/send:latest
+    container_name: send
+    restart: unless-stopped
+    dns:
+      - ${DNS_IP}
+    ports:
+      - ${APP_PORT}:1443
+    networks:
+      - tipi_main_network
+    volumes:
+      - ${APP_DATA_DIR}/data/uploads:/uploads
+    environment:
+      - NODE_ENV=production
+      # Networking
+      - BASE_URL=${APP_PROTOCOL:-http}://${APP_DOMAIN}
+      # Redis
+      - REDIS_HOST=send-redis
+      # Storage Limit
+      - MAX_FILE_SIZE=2147483648
+      - DETECT_BASE_URL=true
+    depends_on:
+      - send-redis
+    labels:
+      traefik.enable: ${APP_EXPOSED}
+      traefik.http.routers.send.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.send.entrypoints: websecure
+      traefik.http.routers.send.service: send
+      traefik.http.routers.send.tls.certresolver: myresolver
+      traefik.http.services.send.loadbalancer.server.port: 1443
+  
+  send-redis:
+    image: redis:alpine
+    container_name: send-redis
+    restart: unless-stopped
+    volumes:
+      - ${APP_DATA_DIR}/data/redis:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 1s
+      timeout: 3s
+      retries: 30
+    networks:
+      - tipi_main_network

apps/send/metadata/description.md

@@ -0,0 +1,29 @@
+A fork of Mozilla's [Firefox Send][mozilla-send].
+Mozilla discontinued Send, this fork is a community effort to keep the project
+up-to-date and alive.
+
+- Forked [at][fork-commit] Mozilla's last publicly hosted version
+- _Mozilla_ & _Firefox_ branding [is][remove-branding-pr] removed so you can legally self-host
+- Kept compatible with [`ffsend`][ffsend] (CLI for Send)
+- Dependencies have been updated
+- Mozilla's [changes][mozilla-patches] since the fork have been selectively [merged][mozilla-patches-pr]
+- Mozilla's experimental report feature, download tokens, trust warnings and FxA changes are not included
+
+Find an up-to-date Docker image here: [docs/docker.md](docs/docker.md)
+
+The original project by Mozilla can be found [here][mozilla-send].
+Please consider to [donate][donate] to allow me to keep working on this.
+
+Thanks [Mozilla][mozilla] for building this amazing tool!
+
+[branch-mozilla-master]: https://gitlab.com/timvisee/send/-/tree/mozilla-master
+[branch-send-v3]: https://gitlab.com/timvisee/send/-/tree/send-v3
+[branch-send-v4]: https://gitlab.com/timvisee/send/-/tree/send-v4
+[donate]: https://timvisee.com/donate
+[ffsend]: https://github.com/timvisee/ffsend
+[fork-commit]: https://gitlab.com/timvisee/send/-/commit/3e9be676413a6e1baaf6a354c180e91899d10bec
+[mozilla-patches-pr]: https://gitlab.com/timvisee/send/-/merge_requests/3
+[mozilla-patches]: https://gitlab.com/timvisee/send/-/compare/3e9be676413a6e1baaf6a354c180e91899d10bec...mozilla-master
+[mozilla-send]: https://github.com/mozilla/send
+[mozilla]: https://mozilla.org/
+[remove-branding-pr]: https://gitlab.com/timvisee/send/-/merge_requests/2

apps/syncthing/config.json

@@ -7,7 +7,7 @@
   "tipi_version": 1,
   "version": "1.20",
   "categories": ["data", "utilities"],
-  "description": "Syncthing is a peer-to-peer continuous file synchronization program. It synchronizes files between two or more computers in real time, safely protected from prying eyes. Your data is your data alone and you deserve to choose where it is stored, whether it is shared with some third party, and how it's transmitted over the internet.\n\nInstall the Syncthing app on your Umbrel and pair it with the Syncthing app on your phone or computer for a self hosted peer-to-peer backup solution.",
+  "description": "Syncthing is a continuous file synchronization program. It synchronizes files between two or more computers. We strive to fulfill the goals below. The goals are listed in order of importance, the most important one being the first. This is the summary version of the goal list - for more commentary, see the full Goals document.",
   "short_desc": "Peer-to-peer file synchronization between your devices",
   "author": "The Syncthing Foundation",
   "source": "https://github.com/syncthing",

apps/teddit/config.json

@@ -0,0 +1,16 @@
+{
+  "$schema": "../schema.json",
+  "name": "teddit",
+  "available": true,
+  "exposable": true,
+  "port": 8124,
+  "id": "teddit",
+  "tipi_version": 1,
+  "version": "latest",
+  "categories": ["social"],
+  "description": "A free and open source alternative Reddit front-end focused on privacy. Inspired by the Nitter project.",
+  "short_desc": "Alternative Reddit front-end focused on privacy https://teddit.net",
+  "author": "teddit",
+  "source": "https://codeberg.org/teddit/teddit",
+  "form_fields": []
+}

apps/teddit/docker-compose.yml

@@ -0,0 +1,45 @@
+version: "3.7"
+
+services:
+  teddit:
+    image: teddit/teddit:latest
+    container_name: teddit
+    networks:
+      - tipi_main_network
+    ports:
+      - ${APP_PORT}:8080
+    depends_on:
+      - teddit-redis
+    restart: unless-stopped
+    environment:
+      - REDIS_HOST=teddit-redis
+      - DOMAIN=${APP_DOMAIN}
+      - THEME=dark
+      - HTTPS_ENABLED=false
+      - REDIRECT_HTTP_TO_HTTPS=false
+      - REDIRECT_WWW=false
+    healthcheck:
+      test: ["CMD", "wget" ,"--no-verbose", "--tries=1", "--spider", "http://localhost:8080/about"]
+      interval: 1m
+      timeout: 3s
+    labels:
+      traefik.enable: ${APP_EXPOSED}
+      traefik.http.routers.teddit.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.teddit.entrypoints: websecure
+      traefik.http.routers.teddit.service: teddit
+      traefik.http.routers.teddit.tls.certresolver: myresolver
+      traefik.http.services.teddit.loadbalancer.server.port: 8080
+  
+  teddit-redis:
+    image: redis:alpine
+    container_name: teddit-redis
+    restart: unless-stopped
+    volumes:
+      - ${APP_DATA_DIR}/data/redis:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 1s
+      timeout: 3s
+      retries: 30
+    networks:
+      - tipi_main_network

apps/teddit/metadata/description.md

@@ -0,0 +1,17 @@
+# teddit
+
+[teddit.net](https://teddit.net)
+
+A free and open source alternative Reddit front-end focused on privacy.
+Inspired by the [Nitter](https://github.com/zedeus/nitter) project.
+
+* No JavaScript or ads
+* All requests go through the backend, client never talks to Reddit
+* Prevents Reddit from tracking your IP or JavaScript fingerprint
+* [Unofficial API](https://codeberg.org/teddit/teddit/wiki#teddit-api) (RSS & JSON support, no rate limits or Reddit account required)
+* Lightweight (teddit frontpage: ~30 HTTP requests with ~270 KB of data downloaded vs. Reddit frontpage: ~190 requests with ~24 MB)
+* Self-hostable. Anyone can setup an instance. An instance can either use Reddit's API with or without OAuth (so Reddit API key is not necessarily needed).
+
+Join the teddit discussion room on Matrix: [#teddit:matrix.org](https://matrix.to/#/#teddit:matrix.org)
+
+XMR: 832ogRwuoSs2JGYg7wJTqshidK7dErgNdfpenQ9dzMghNXQTJRby1xGbqC3gW3GAifRM9E84J91VdMZRjoSJ32nkAZnaCEj

apps/tubearchivist/config.json

@@ -0,0 +1,41 @@
+{
+  "$schema": "../schema.json",
+  "name": "Tube Archivist",
+  "available": true,
+  "exposable": true,
+  "port": 8120,
+  "id": "tubearchivist",
+  "tipi_version": 1,
+  "version": "latest",
+  "categories": ["media"],
+  "description": "Once your YouTube video collection grows, it becomes hard to search and find a specific video. That's where Tube Archivist comes in: By indexing your video collection with metadata from YouTube, you can organize, search and enjoy your archived YouTube videos without hassle offline through a convenient web interface.",
+  "short_desc": "Your self-hosted YouTube media server",
+  "author": "bbilly1",
+  "source": "https://github.com/tubearchivist/tubearchivist",
+  "form_fields": [
+    {
+      "type": "text",
+      "label": "Tube Archivist Username",
+      "max": 50,
+      "min": 3,
+      "required": true,
+      "env_variable": "TA_USER"
+    },
+    {
+      "type": "password",
+      "label": "Tube Archivist Password",
+      "max": 50,
+      "min": 3,
+      "required": true,
+      "env_variable": "TA_PASSWORD"
+    },
+    {
+      "type": "random",
+      "label": "Elasticsearch Password",
+      "max": 50,
+      "min": 3,
+      "required": true,
+      "env_variable": "ELASTIC_PASSWORD"
+    }
+  ]
+}

apps/tubearchivist/docker-compose.yml

@@ -0,0 +1,66 @@
+version: "3.7"
+
+services:
+  tubearchivist:
+    container_name: tubearchivist
+    restart: unless-stopped
+    image: bbilly1/tubearchivist:latest
+    volumes:
+      - ${APP_DATA_DIR}/data/media:/youtube
+      - ${APP_DATA_DIR}/data/cache:/cache
+    environment:
+      - ES_URL=http://tubearchivist-es:9200
+      - REDIS_HOST=tubearchivist-redis
+      - HOST_UID=${UID}
+      - HOST_GID=${GID}
+      - TA_USERNAME=${TA_USER}
+      - TA_PASSWORD=${TA_PASSWORD}
+      - TA_HOST=${APP_DOMAIN}
+      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
+    depends_on:
+      - tubearchivist-es
+      - tubearchivist-redis
+    networks:
+      - tipi_main_network
+    dns:
+      - ${DNS_IP}
+    ports:
+      - ${APP_PORT}:8000
+    labels:
+      traefik.enable: ${APP_EXPOSED}
+      traefik.http.routers.tubearchivist.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.tubearchivist.entrypoints: websecure
+      traefik.http.routers.tubearchivist.service: tubearchivist
+      traefik.http.routers.tubearchivist.tls.certresolver: myresolver
+      traefik.http.services.tubearchivist.loadbalancer.server.port: 8000
+
+  tubearchivist-redis:
+    image: redislabs/rejson:latest
+    container_name: tubearchivist-redis
+    restart: always
+    networks:
+      - tipi_main_network
+    volumes:
+      - ${APP_DATA_DIR}/data/redis-data:/data
+    depends_on:
+      - tubearchivist-es
+
+  tubearchivist-es:
+    image: bbilly1/tubearchivist-es:latest
+    container_name: tubearchivist-es
+    restart: always
+    environment:
+      - "xpack.security.enabled=true"
+      - "ELASTIC_PASSWORD=${ELASTIC_PASSWORD}"
+      - "discovery.type=single-node"
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+    networks:
+      - tipi_main_network
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    volumes:
+      - ${APP_DATA_DIR}/data/es:/usr/share/elasticsearch/data
+    expose:
+      - "9200"

apps/tubearchivist/metadata/description.md

@@ -0,0 +1,21 @@
+# Your self-hosted YouTube media server
+
+![Tube Archivist](https://github.com/tubearchivist/tubearchivist/blob/master/assets/tube-archivist-banner.jpg?raw=true "Tube Archivist Banner")
+
+## Core functionality
+
+* Subscribe to your favorite YouTube channels
+* Download Videos using **yt-dlp**
+* Index and make videos searchable
+* Play videos
+* Keep track of viewed and unviewed videos
+
+## If you have issues running Tube Archivist
+
+Please visit the following URL and ensure neither of the tips resolve the issue:
+
+https://github.com/tubearchivist/tubearchivist#potential-pitfalls
+
+If they do not, please open an app here and tag @sethforprivacy:
+
+https://github.com/meienberger/runtipi-appstore/issues

apps/uptime-kuma/config.json

@@ -0,0 +1,16 @@
+{
+  "$schema": "../schema.json",
+  "name": "Uptime Kuma",
+  "available": true,
+  "exposable": true,
+  "port": 8125,
+  "id": "uptime-kuma",
+  "tipi_version": 1,
+  "version": "1",
+  "categories": ["utilities"],
+  "description": "It is a self-hosted monitoring tool like Uptime Robot.",
+  "short_desc": "A fancy self-hosted monitoring tool.",
+  "author": "louislam",
+  "source": "https://github.com/louislam/uptime-kuma",
+  "form_fields": []
+}

apps/uptime-kuma/docker-compose.yml

@@ -0,0 +1,21 @@
+version: "3.7"
+services:
+  uptime-kuma:
+    image: louislam/uptime-kuma:1
+    container_name: uptime-kuma
+    volumes:
+      - ${APP_DATA_DIR}/data:/app/data
+    dns:
+      - ${DNS_IP}
+    ports:
+      - ${APP_PORT}:3001
+    restart: unless-stopped
+    networks:
+      - tipi_main_network
+    labels:
+      traefik.enable: ${APP_EXPOSED}
+      traefik.http.routers.uptime-kuma.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.uptime-kuma.entrypoints: websecure
+      traefik.http.routers.uptime-kuma.service: uptime-kuma
+      traefik.http.routers.uptime-kuma.tls.certresolver: myresolver
+      traefik.http.services.uptime-kuma.loadbalancer.server.port: 3001

apps/uptime-kuma/metadata/description.md

@@ -0,0 +1,33 @@
+# Uptime Kuma
+
+<div align="center" width="100%">
+    <img src="https://github.com/louislam/uptime-kuma/raw/master/public/icon.svg" width="128" alt="" />
+</div>
+
+It is a self-hosted monitoring tool like "Uptime Robot".
+
+<img src="https://uptime.kuma.pet/img/dark.jpg" width="700" alt="" />
+
+## 🥔 Live Demo
+
+Try it!
+
+https://demo.uptime.kuma.pet
+
+It is a temporary live demo, all data will be deleted after 10 minutes. The server is located in Tokyo, so if you live far from there, it may affect your experience. I suggest that you should install and try it out for the best demo experience.
+
+VPS is sponsored by Uptime Kuma sponsors on [Open Collective](https://opencollective.com/uptime-kuma)! Thank you so much!
+
+## ⭐ Features
+
+* Monitoring uptime for HTTP(s) / TCP / HTTP(s) Keyword / Ping / DNS Record / Push / Steam Game Server / Docker Containers.
+* Fancy, Reactive, Fast UI/UX.
+* Notifications via Telegram, Discord, Gotify, Slack, Pushover, Email (SMTP), and [90+ notification services, click here for the full list](https://github.com/louislam/uptime-kuma/tree/master/src/components/notifications).
+* 20 second intervals.
+* [Multi Languages](https://github.com/louislam/uptime-kuma/tree/master/src/languages)
+* Multiple Status Pages
+* Map Status Page to Domain
+* Ping Chart
+* Certificate Info
+* Proxy Support
+* 2FA available

apps/vaultwarden/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3.7'
 
 services:
   vaultwarden:
-    image: vaultwarden/server:1.25.1
+    image: vaultwarden/server:1.25.2
     container_name: vaultwarden
     restart: unless-stopped
     ports: