⚠️ Before you deploy anything, read PREREQUISITES.md to check domain, DNS, ports, and system requirements.
Production-ready Docker Compose stacks — Reverse proxy, monitoring, self-hosted apps, security. Plug & play.
Each stack is self-contained with its own README, .env.example, and configuration files.
| Stack | Description | Ports |
|---|---|---|
| Traefik | Reverse proxy with auto-SSL (Let's Encrypt) | 80, 443 |
| Authelia | 2FA/SSO authentication portal | 9091 |
| Nextcloud | Self-hosted cloud storage & collaboration | 443 |
| Grafana | Monitoring dashboard (Grafana + Prometheus + Loki + Promtail) | 3000, 9090 |
| Vaultwarden | Lightweight Bitwarden password manager | 8080 |
| Portainer | Docker management UI | 9443 |
| Gitea | Self-hosted lightweight Git | 3000, 2222 |
| Uptime Kuma | Uptime monitoring & status page | 3001 |
| Immich | Self-hosted photo & video backup (Google Photos alt) | 2283 |
| Paperless-ngx | Document digitization, OCR & full-text search | 8000 |
| Jellyfin | Open-source media server (movies, TV, music) | 8096 |
| Backup | Automated volume backups | - |
| Dozzle | Real-time Docker logs viewer | 8080 |
| Registry | Private Docker image registry + UI | 5000 |
| Woodpecker CI | Lightweight CI/CD for Gitea | 8000 |
| CrowdSec | Collaborative IPS with Traefik bouncer | - |
| Headscale | Self-hosted Tailscale/WireGuard control plane | 8080 |
| AdGuard Home | DNS resolver, ad blocker, DNS-over-HTTPS | 53, 3002 |
| ntfy | Push notifications for scripts & alerts | 80 |
| NetBox | IPAM & DCIM | 8080 |
| IT-Tools | Web toolbox (base64, cron, regex, JWT, etc.) | 80 |
| Beszel | Lightweight system monitoring dashboard | 8090 |
| Syncthing | P2P file synchronization | 8384 |
# 1. Clone the repo
git clone https://github.com/Mounik/docker-stacks.git
cd docker-stacks
# 2. Initialize (creates proxy network + copies .env files)
make init
# 3. Edit .env files with your domain and secrets
# See SECRETS.md for generating secure values
nano traefik/.env
nano authelia/.env
# 4. Start all stacks
make up-all
# Or start individually
make up STACK=traefikFor a full homelab or small production setup:
- Traefik — reverse proxy (deploy first, handles SSL for everything)
- Authelia — SSO/2FA in front of your services
- Then add any stack — they're all pre-configured to work with Traefik
- Backup — automated scheduled backups of all volumes
Internet -> Traefik (SSL/routing) -> Authelia (auth) -> Your services
- Traefik labels pre-configured on every stack
.env.examplewith all variables documented- Health checks on all services
- Persistent volumes with proper ownership
- Restart policies set to
unless-stopped - Network isolation — each stack on its own network
- Security hardening — read-only filesystems, dropped capabilities where possible
# Update a single stack
make update STACK=nextcloud
# Update all stacks (one at a time)
for stack in traefik authelia nextcloud grafana vaultwarden portainer gitea uptime-kuma; do
make update STACK=$stack
done
# Rollback if something breaks
cd nextcloud
docker compose down
# Edit docker-compose.yml to pin previous image tag
docker compose up -dBefore updating, always:
- Check the upstream changelog for breaking changes
- Run
make backupor ensure the backup stack is running - Update one stack at a time, verify it works
See SECRETS.md for secret management best practices.
docker-stacks/
├── traefik/
│ ├── docker-compose.yml
│ ├── .env.example
│ ├── traefik.yml
│ └── README.md
├── authelia/
│ ├── docker-compose.yml
│ ├── .env.example
│ ├── config/
│ │ ├── configuration.yml
│ │ └── users_database.yml
│ └── README.md
├── grafana/
│ ├── docker-compose.yml
│ ├── .env.example
│ ├── prometheus/
│ ├── loki/
│ ├── promtail/
│ └── README.md
├── backup/
│ ├── docker-compose.yml
│ ├── .env.example
│ └── README.md
└── ...
Found a bug? Have a stack to add? PRs welcome!
- Fork -> Branch -> PR
- Each stack must have:
docker-compose.yml,.env.example,README.md - Test with
make validatebefore submitting
MIT — Use it however you want. No warranty.