Update docker-compose.yml

increase rcon pw

README.md

@@ -37,8 +37,8 @@ cd <container-of-interest>
 docker compose up
 ````
 
-> **Note**:
-> The samples are intended for use in local development environments such as project setups, tinkering with software stacks, etc. These samples may be deployed in production environments or exposed to the Internet but please adhere to general hardening and security guidelines. Adjust all default credentials, use a separate `.env` file or platform for secrets management, implement a backup process and have a tested disaster recovery plan. Use a reverse proxy to stream-line your web service exposure and provide an encrypted HTTPS communication channel with trusted SSL certificates.
+> [!WARNING]
+> The samples are intended for local development environments such as project setups, tinkering with software stacks, etc. These samples may be deployed in production environments or exposed to the Internet but please adhere to general hardening and security guidelines. Adjust all default credentials, use a separate `.env` file or platform for secret management, implement a backup process and have a tested disaster recovery plan. Use a reverse proxy to stream-line your web service exposure and provide an encrypted HTTPS communication channel with trusted SSL certificates.
 
 ## 🐳 Project List
 
@@ -56,6 +56,7 @@ docker compose up
 - [Domain Name Service (DNS)](#domain-name-service-dns)
 - [E-commerce](#e-commerce)
 - [File Transfer & Synchronization](#file-transfer--synchronization)
+- [Games and Control Panels](#games-and-control-servers)
 - [Genealogy](#genealogy)
 - [Identity Management - Single Sign-On (SSO) & LDAP](#identity-management---single-sign-on-sso--ldap)
 - [Miscellaneous](#miscellaneous)
@@ -71,7 +72,7 @@ docker compose up
 - [Security & Privacy](#security--privacy)
 - [Software Development - Project Management, DevOps](#software-development---project-management-devops)
 - [URL Shorteners](#url-shorteners)
-- [Virtual Private Network (VPN)](#virtual-private-network-vpn)
+- [Virtual Private Network (VPN) & Remote Access](#virtual-private-network-vpn--remote-access)
 - [Wikis & Knowledge Base](#wikis--knowledge-base)
 
 ### Personal Dashboards
@@ -119,7 +120,7 @@ A [proxy](https://en.wikipedia.org/wiki/Proxy_server) is a server application th
 - [Keycloak](https://github.com/keycloak/keycloak-containers/tree/main/docker-compose-examples) - Keycloak is an open-source Identity and Access Management (IAM) solution for modern applications and services.
 - [lldap](examples/lldap) - lldap is a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication. It integrates with many backends, from KeyCloak to Authelia to Nextcloud and more.
 
-### Virtual Private Network (VPN)
+### Virtual Private Network (VPN) & Remote Access
 
 **[`^        back to top        ^`](#-project-list)**
 
@@ -131,6 +132,7 @@ A [VPN](https://en.wikipedia.org/wiki/Virtual_private_network) is a mechanism fo
 - [Firezone](examples/firezone) - Self-hosted secure remote access gateway that supports the WireGuard protocol. It offers a Web GUI, 1-line install script, multi-factor auth (MFA), and SSO.
 - ~~[Netbird](https://github.com/netbirdio/netbird)~~ - Quickly connect your computers, servers, cloud instances, and IoT devices into a secure private network. No configuration required.
 - [Headscale](examples/headscale) - An open source, self-hosted implementation of the Tailscale control server.
+- [Guacamole](examples/guacamole) - Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, SSH and RDP.
 
 ### Domain Name Service (DNS)
 
@@ -239,6 +241,7 @@ A [document management system](https://en.wikipedia.org/wiki/Document_management
 
 - [Paperless NGX](examples/paperless-ngx) - A community-supported supercharged version of paperless: scan, index and archive all your physical documents.
 - [Papermerge](examples/papermerge) - Free and open source document management system with OCR designed for scanned documents, digital archives, pdf, tiff, jpeg.
+- [DocuSeal](examples/docuseal) - Create, fill, and sign digital documents (alternative to DocuSign).
 
 ### Pastebins
 
@@ -408,6 +411,15 @@ A request bin service allows one to collect and inspect HTTP requests. It may be
 - [Request-Baskets](https://github.com/darklynx/request-baskets) - HTTP requests collector to test webhooks, notifications, REST clients and more.
 - [Mockbin](https://github.com/Kong/mockbin) - Mock, Test & Track HTTP Requests and Response for Microservices.
 
+### Games and Control Servers
+
+**[`^        back to top        ^`](#-project-list)**
+
+Multiplayer game servers, browser games and utilities for managing game servers.
+
+- [cs2-dedicated-server](examples/cs2-dedicated-server) - CS2 Dedicated Server Docker Image with an RCON web-based control panel.
+
+
 ### Miscellaneous
 
 **[`^        back to top        ^`](#-project-list)**

examples/adguard-home/docker-compose.yml

@@ -21,4 +21,17 @@ services:
     restart: unless-stopped
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/adguard-home/work:/opt/adguardhome/work
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/adguard-home/conf:/opt/adguardhome/conf
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/adguard-home/conf:/opt/adguardhome/conf
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.adguard.rule=Host(`dns.example.com`)
+    #  - traefik.http.services.adguard.loadbalancer.server.port=8080
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.adguard.middlewares=local-ipwhitelist@file,authelia@docker
+
+#networks:
+#  proxy:
+#    external: true      

examples/answer/docker-compose.yml

@@ -1,4 +1,5 @@
 version: "3"
+
 services:
   answer:
     container_name: answer
@@ -8,3 +9,21 @@ services:
     restart: unless-stopped
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/answer/data:/data
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.answer.rule=Host(`faq.example.com`)
+    #  - traefik.http.services.answer.loadbalancer.server.port=80
+    #  # Optional part for file upload max sizes
+    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.answer.middlewares=local-ipwhitelist@file,authelia@docker
+
+#networks:
+#  proxy:
+#    external: true

examples/bibliogram/docker-compose.yml

@@ -6,5 +6,18 @@ services:
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/bibliogram/config.js:/app/config.js:ro
     ports:
-      - '10407:10407'
-    restart: unless-stopped
+      - 10407:10407
+    restart: unless-stopped
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.bibliogram.rule=Host(`bibliogram.example.com`)
+    #  - traefik.http.services.bibliogram.loadbalancer.server.port=10407
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.bibliogram.middlewares=local-ipwhitelist@file,authelia@docker
+
+#networks:
+#  proxy:
+#    external: true  

examples/bookstack/docker-compose.yml

@@ -8,7 +8,7 @@ services:
     environment:
       - PUID=1000
       - PGID=1000
-      - APP_URL=https://wiki.example.com # change this
+      - APP_URL=http://127.0.0.1:8099 # change this to your prod url with https
       - DB_HOST=bookstack_db
       - DB_USER=bookstack
       - DB_PASS=USERPW1
@@ -20,6 +20,20 @@ services:
       - 8099:80
     depends_on:
       - bookstack_db
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.bookstack.rule=Host(`bookstack.example.com`)
+    #  - traefik.http.services.bookstack.loadbalancer.server.port=80
+    #  # Optional part for file upload max sizes
+    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.bookstack.middlewares=local-ipwhitelist@file,authelia@docker    
 
   bookstack_db:
     image: linuxserver/mariadb
@@ -36,3 +50,9 @@ services:
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/bookstack/mariadb-config:/config
     restart: unless-stopped
+    #networks:
+    #  - proxy
+
+#networks:
+#  proxy:
+#    external: true  

examples/code-server/docker-compose.yml

@@ -1,6 +1,7 @@
----
 version: "2.1"
+
 services:
+
   code-server:
     image: lscr.io/linuxserver/code-server:latest
     container_name: code-server
@@ -18,3 +19,21 @@ services:
     ports:
       - 8443:8443
     restart: unless-stopped
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.codeserver.rule=Host(`code.example.com`)
+    #  - traefik.http.services.codeserver.loadbalancer.server.port=8443
+    #  # Optional part for file upload max sizes
+    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.codeserver.middlewares=local-ipwhitelist@file,authelia@docker
+
+#networks:
+#  proxy:
+#    external: true

examples/cs2-dedicated-server/README.md

@@ -0,0 +1,12 @@
+# References
+
+- https://github.com/joedwards32/CS2
+- https://github.com/shobhit-pathak/cs2-rcon-panel
+
+# Notes
+
+Minimum system requirements are:
+
+- 2 CPUs
+- 2 GiB RAM
+- 40 GB of disk space for the container or mounted as a persistent volume on /home/steam/cs2-dedicated/

examples/cs2-dedicated-server/docker-compose.yml

@@ -0,0 +1,53 @@
+version: '3.7'
+
+services:
+
+  cs2-server:
+    image: joedwards32/cs2
+    container_name: cs2-dedicated-server
+    restart: unless-stopped
+    environment:
+      # Server configuration
+      - SRCDS_TOKEN=<YOUR-GAME-SERVER-TOKEN>        # Game Server Token from https://steamcommunity.com/dev/managegameservers
+      - CS2_SERVERNAME=MY-CS2-SERVER                # (Set the visible name for your private server)
+      - CS2_CHEATS=0                                # (0 - disable cheats, 1 - enable cheats)
+      - CS2_PORT=27015                              # (CS2 server listen port tcp_udp)
+      - CS2_SERVER_HIBERNATE=0                      # (Put server in a low CPU state when there are no players. 0 - hibernation disabled, 1 - hibernation enabled)
+      - CS2_LAN=0                                   # (0 - LAN mode disabled, 1 - LAN Mode enabled)
+      - CS2_RCONPW=cruelly-sequel-dejected          #  (RCON password)
+      - CS2_PW=sake-earthly-lair                    # (CS2 server password)
+      - CS2_MAXPLAYERS=10                           # (Max players)
+      # Game modes
+      - CS2_GAMEALIAS=competitive   # (Game type, e.g. casual, competitive, deathmatch. See https://developer.valvesoftware.com/wiki/Counter-Strike_2/Dedicated_Servers)
+      - CS2_GAMETYPE=0              # (Used if CS2_GAMEALIAS not defined. See https://developer.valvesoftware.com/wiki/Counter-Strike_2/Dedicated_Servers)
+      - CS2_GAMEMODE=1              # (Used if CS2_GAMEALIAS not defined. See https://developer.valvesoftware.com/wiki/Counter-Strike_2/Dedicated_Servers)
+      - CS2_MAPGROUP=mg_active      # (Map pool)
+      - CS2_STARTMAP=de_dust2       # (Start map)
+      # Bots
+      - CS2_BOT_DIFFICULTY=0              # (0 - easy, 1 - normal, 2 - hard, 3 - expert)
+      - CS2_BOT_QUOTA=0                   # (Number of bots)
+      - CS2_BOT_QUOTA_MODE=competitive    # (fill, competitive)
+      # TV
+      - TV_AUTORECORD=0             # Automatically records all games as CSTV demos: 0=off, 1=on.
+      - TV_ENABLE=0                 # Activates CSTV on server: 0=off, 1=on.
+      - TV_PORT=27020               # Host SourceTV port
+      - TV_PW=changeme              # CSTV password for clients
+      - TV_RELAY_PW=changeme        # CSTV password for relay proxies
+      - TV_MAXRATE=0                # World snapshots to broadcast per second. Affects camera tickrate.
+      - TV_DELAY=0                  # Max CSTV spectator bandwidth rate allowed, 0 == unlimited
+    volumes:
+      - cs2:/home/steam/cs2-dedicated/
+    ports:
+      - 27015:27015/tcp         # TCP
+      - 27015:27015/udp         # UDP
+      #- 27020:27020/udp        # UDP
+
+  cs2-rconpanel:
+    image: soren90/rcon-panel
+    container_name: cs2-rcon-panel
+    ports:
+      - 3000:3000
+    restart: unless-stopped
+
+volumes:
+  cs2:

examples/deemix/docker-compose.yml

@@ -9,6 +9,23 @@ services:
     hostname: deemix
     image: registry.gitlab.com/bockiii/deemix-docker:latest
     restart: unless-stopped
+    ports:
+      - 6595:6595
+    expose:
+      - 6595
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/deemix/config:/config
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/deemix/downloads:/downloads
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.deemix.rule=Host(`deemix.example.com`)
+    #  - traefik.http.services.deemix.loadbalancer.server.port=6595
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.deemix.middlewares=local-ipwhitelist@file,authelia@docker
+
+#networks:
+#  proxy:
+#    external: true

examples/docuseal/README.md

@@ -0,0 +1,3 @@
+# References
+
+- https://github.com/docusealco/docuseal

examples/docuseal/docker-compose.yml

@@ -0,0 +1,52 @@
+version: '3'
+
+services:
+
+  app:
+    image: docuseal/docuseal:latest
+    container_name: docuseal
+    restart: unless-stopped
+    environment:
+      - DATABASE_URL=postgresql://postgres:postgres@postgres:5432/docuseal
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/docuseal/data:/data
+    depends_on:
+      postgres:
+        condition: service_healthy
+    ports:
+      - 3000:3000
+    expose:
+      - 3000
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.docuseal.rule=Host(`docuseal.example.com`)
+    #  - traefik.http.services.docuseal.loadbalancer.server.port=3000
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.docuseal.middlewares=local-ipwhitelist@file,authelia@docker
+
+  postgres:
+    image: postgres:15-alpine
+    container_name: docuseal-db
+    restart: unless-stopped
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=postgres
+      - POSTGRES_DB=docuseal
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/docuseal/pg_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    expose:
+      - 5432
+    #networks:
+    #  - proxy
+
+#networks:
+#  proxy:
+#    external: true

examples/domainmod/docker-compose.yml

@@ -35,6 +35,6 @@ services:
       - MYSQL_ROOT_PASSWORD=password2
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/domainmod/database:/config
-    #ports:
-    #  - 3306
+    expose:
+      - 3306
     restart: unless-stopped

examples/element-web/README.md

@@ -1,3 +0,0 @@
-# References
-
-- https://hub.docker.com/r/vectorim/element-web

examples/element-web/docker-compose.yml

@@ -1,9 +0,0 @@
-version: '3.3'
-
-services:
-    element-web:
-        image: 'vectorim/element-web'
-        container_name: element-web
-        ports:
-            - '80:80'
-        restart: unless-stopped

examples/guacamole/README.md

@@ -0,0 +1,35 @@
+# References
+
+- https://hub.docker.com/r/guacamole/guacamole/
+
+# Notes
+
+Before spawning up the Docker Compose stack you have to pre-supply an `initdb.sql` initialization file for the Postgresql database.
+
+The file is provided in this repository but can also be created dynamically via:
+
+````
+docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgresql > initdb.sql
+````
+
+Please go ahead and place this init file in the corresponding Docker Volume Bind Mount.
+
+````
+mkdir -p /mnt/docker-volumes/guacamole/psql/init
+
+# Option 1: move init file from this repo to the new location
+mv initdb.sql /mnt/docker-volumes/guacamole/psql/init/.
+
+# Option2: create it dynamically and place it to the new location
+docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgresql > /mnt/docker-volumes/guacamole/psql/init/initdb.sql
+````
+
+Afterwards, you can spawn up the Docker stack as follows:
+
+````
+docker compose up -d
+````
+
+The Guacamole login is available at `http://<YOUR-IP>:8080/guacamole`.
+
+The default username is `guacadmin`. The default password is `guacadmin`.

examples/guacamole/docker-compose.yml

@@ -0,0 +1,64 @@
+version: '2.0'
+
+services:
+
+  guacd:
+    image: guacamole/guacd
+    container_name: guacamole-guacd
+    restart: always
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/guacamole/guacd/drive:/drive:rw
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/guacamole/guacd/record:/record:rw
+    #networks:
+    #  - proxy
+
+  postgres:
+    image: postgres:15.2-alpine
+    container_name: guacamole-db
+    restart: always
+    environment:
+      - PGDATA=/var/lib/postgresql/data/guacamole
+      - POSTGRES_DB=guacamole_db
+      - POSTGRES_PASSWORD=ChooseYourOwnPasswordHere1234
+      - POSTGRES_USER=guacamole_user
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/guacamole/psql/init:/docker-entrypoint-initdb.d:z
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/guacamole/psql/data:/var/lib/postgresql/data:Z
+    #networks:
+    #  - proxy
+
+  # guacamole
+  guacamole:
+    image: guacamole/guacamole
+    container_name: guacamole-ui
+    restart: always
+    depends_on:
+      - guacd
+      - postgres
+    environment:
+      - GUACD_HOSTNAME=guacd
+      - POSTGRES_DATABASE=guacamole_db
+      - POSTGRES_HOSTNAME=postgres
+      - POSTGRES_PASSWORD=ChooseYourOwnPasswordHere1234
+      - POSTGRES_USER=guacamole_user
+    links:
+      - guacd
+    ports:
+      # Guacamole is on :8080/guacamole, not /.
+      # Default login is guacadmin:guacadmin
+      - 8080:8080/tcp 
+    expose:
+      - 8080
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.guacamole.rule=Host(`guacamole.example.com`) && PathPrefix(`/guacamole`)
+    #  - traefik.http.services.guacamole.loadbalancer.server.port=8080
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.guacamole.middlewares=local-ipwhitelist@file,authelia@docker
+
+#networks:
+#  proxy:
+#    external: true

examples/guacamole/initdb.sql

@@ -0,0 +1,791 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one
+-- or more contributor license agreements.  See the NOTICE file
+-- distributed with this work for additional information
+-- regarding copyright ownership.  The ASF licenses this file
+-- to you under the Apache License, Version 2.0 (the
+-- "License"); you may not use this file except in compliance
+-- with the License.  You may obtain a copy of the License at
+--
+--   http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing,
+-- software distributed under the License is distributed on an
+-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+-- KIND, either express or implied.  See the License for the
+-- specific language governing permissions and limitations
+-- under the License.
+--
+
+--
+-- Connection group types
+--
+
+CREATE TYPE guacamole_connection_group_type AS ENUM(
+    'ORGANIZATIONAL',
+    'BALANCING'
+);
+
+--
+-- Entity types
+--
+
+CREATE TYPE guacamole_entity_type AS ENUM(
+    'USER',
+    'USER_GROUP'
+);
+
+--
+-- Object permission types
+--
+
+CREATE TYPE guacamole_object_permission_type AS ENUM(
+    'READ',
+    'UPDATE',
+    'DELETE',
+    'ADMINISTER'
+);
+
+--
+-- System permission types
+--
+
+CREATE TYPE guacamole_system_permission_type AS ENUM(
+    'CREATE_CONNECTION',
+    'CREATE_CONNECTION_GROUP',
+    'CREATE_SHARING_PROFILE',
+    'CREATE_USER',
+    'CREATE_USER_GROUP',
+    'ADMINISTER'
+);
+
+--
+-- Guacamole proxy (guacd) encryption methods
+--
+
+CREATE TYPE guacamole_proxy_encryption_method AS ENUM(
+    'NONE',
+    'SSL'
+);
+
+--
+-- Table of connection groups. Each connection group has a name.
+--
+
+CREATE TABLE guacamole_connection_group (
+
+  connection_group_id   serial       NOT NULL,
+  parent_id             integer,
+  connection_group_name varchar(128) NOT NULL,
+  type                  guacamole_connection_group_type
+                        NOT NULL DEFAULT 'ORGANIZATIONAL',
+
+  -- Concurrency limits
+  max_connections          integer,
+  max_connections_per_user integer,
+  enable_session_affinity  boolean NOT NULL DEFAULT FALSE,
+
+  PRIMARY KEY (connection_group_id),
+
+  CONSTRAINT connection_group_name_parent
+    UNIQUE (connection_group_name, parent_id),
+
+  CONSTRAINT guacamole_connection_group_ibfk_1
+    FOREIGN KEY (parent_id)
+    REFERENCES guacamole_connection_group (connection_group_id)
+    ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_connection_group_parent_id
+    ON guacamole_connection_group(parent_id);
+
+--
+-- Table of connections. Each connection has a name, protocol, and
+-- associated set of parameters.
+-- A connection may belong to a connection group.
+--
+
+CREATE TABLE guacamole_connection (
+
+  connection_id       serial       NOT NULL,
+  connection_name     varchar(128) NOT NULL,
+  parent_id           integer,
+  protocol            varchar(32)  NOT NULL,
+  
+  -- Concurrency limits
+  max_connections          integer,
+  max_connections_per_user integer,
+
+  -- Connection Weight
+  connection_weight        integer,
+  failover_only            boolean NOT NULL DEFAULT FALSE,
+
+  -- Guacamole proxy (guacd) overrides
+  proxy_port              integer,
+  proxy_hostname          varchar(512),
+  proxy_encryption_method guacamole_proxy_encryption_method,
+
+  PRIMARY KEY (connection_id),
+
+  CONSTRAINT connection_name_parent
+    UNIQUE (connection_name, parent_id),
+
+  CONSTRAINT guacamole_connection_ibfk_1
+    FOREIGN KEY (parent_id)
+    REFERENCES guacamole_connection_group (connection_group_id)
+    ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_connection_parent_id
+    ON guacamole_connection(parent_id);
+
+--
+-- Table of base entities which may each be either a user or user group. Other
+-- tables which represent qualities shared by both users and groups will point
+-- to guacamole_entity, while tables which represent qualities specific to
+-- users or groups will point to guacamole_user or guacamole_user_group.
+--
+
+CREATE TABLE guacamole_entity (
+
+  entity_id     serial                  NOT NULL,
+  name          varchar(128)            NOT NULL,
+  type          guacamole_entity_type   NOT NULL,
+
+  PRIMARY KEY (entity_id),
+
+  CONSTRAINT guacamole_entity_name_scope
+    UNIQUE (type, name)
+
+);
+
+--
+-- Table of users. Each user has a unique username and a hashed password
+-- with corresponding salt. Although the authentication system will always set
+-- salted passwords, other systems may set unsalted passwords by simply not
+-- providing the salt.
+--
+
+CREATE TABLE guacamole_user (
+
+  user_id       serial       NOT NULL,
+  entity_id     integer      NOT NULL,
+
+  -- Optionally-salted password
+  password_hash bytea        NOT NULL,
+  password_salt bytea,
+  password_date timestamptz  NOT NULL,
+
+  -- Account disabled/expired status
+  disabled      boolean      NOT NULL DEFAULT FALSE,
+  expired       boolean      NOT NULL DEFAULT FALSE,
+
+  -- Time-based access restriction
+  access_window_start    time,
+  access_window_end      time,
+
+  -- Date-based access restriction
+  valid_from  date,
+  valid_until date,
+
+  -- Timezone used for all date/time comparisons and interpretation
+  timezone varchar(64),
+
+  -- Profile information
+  full_name           varchar(256),
+  email_address       varchar(256),
+  organization        varchar(256),
+  organizational_role varchar(256),
+
+  PRIMARY KEY (user_id),
+
+  CONSTRAINT guacamole_user_single_entity
+    UNIQUE (entity_id),
+
+  CONSTRAINT guacamole_user_entity
+    FOREIGN KEY (entity_id)
+    REFERENCES guacamole_entity (entity_id)
+    ON DELETE CASCADE
+
+);
+
+--
+-- Table of user groups. Each user group may have an arbitrary set of member
+-- users and member groups, with those members inheriting the permissions
+-- granted to that group.
+--
+
+CREATE TABLE guacamole_user_group (
+
+  user_group_id serial      NOT NULL,
+  entity_id     integer     NOT NULL,
+
+  -- Group disabled status
+  disabled      boolean     NOT NULL DEFAULT FALSE,
+
+  PRIMARY KEY (user_group_id),
+
+  CONSTRAINT guacamole_user_group_single_entity
+    UNIQUE (entity_id),
+
+  CONSTRAINT guacamole_user_group_entity
+    FOREIGN KEY (entity_id)
+    REFERENCES guacamole_entity (entity_id)
+    ON DELETE CASCADE
+
+);
+
+--
+-- Table of users which are members of given user groups.
+--
+
+CREATE TABLE guacamole_user_group_member (
+
+  user_group_id    integer       NOT NULL,
+  member_entity_id integer       NOT NULL,
+
+  PRIMARY KEY (user_group_id, member_entity_id),
+
+  -- Parent must be a user group
+  CONSTRAINT guacamole_user_group_member_parent
+    FOREIGN KEY (user_group_id)
+    REFERENCES guacamole_user_group (user_group_id) ON DELETE CASCADE,
+
+  -- Member may be either a user or a user group (any entity)
+  CONSTRAINT guacamole_user_group_member_entity
+    FOREIGN KEY (member_entity_id)
+    REFERENCES guacamole_entity (entity_id) ON DELETE CASCADE
+
+);
+
+--
+-- Table of sharing profiles. Each sharing profile has a name, associated set
+-- of parameters, and a primary connection. The primary connection is the
+-- connection that the sharing profile shares, and the parameters dictate the
+-- restrictions/features which apply to the user joining the connection via the
+-- sharing profile.
+--
+
+CREATE TABLE guacamole_sharing_profile (
+
+  sharing_profile_id    serial       NOT NULL,
+  sharing_profile_name  varchar(128) NOT NULL,
+  primary_connection_id integer      NOT NULL,
+
+  PRIMARY KEY (sharing_profile_id),
+
+  CONSTRAINT sharing_profile_name_primary
+    UNIQUE (sharing_profile_name, primary_connection_id),
+
+  CONSTRAINT guacamole_sharing_profile_ibfk_1
+    FOREIGN KEY (primary_connection_id)
+    REFERENCES guacamole_connection (connection_id)
+    ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_sharing_profile_primary_connection_id
+    ON guacamole_sharing_profile(primary_connection_id);
+
+--
+-- Table of connection parameters. Each parameter is simply a name/value pair
+-- associated with a connection.
+--
+
+CREATE TABLE guacamole_connection_parameter (
+
+  connection_id   integer       NOT NULL,
+  parameter_name  varchar(128)  NOT NULL,
+  parameter_value varchar(4096) NOT NULL,
+
+  PRIMARY KEY (connection_id,parameter_name),
+
+  CONSTRAINT guacamole_connection_parameter_ibfk_1
+    FOREIGN KEY (connection_id)
+    REFERENCES guacamole_connection (connection_id) ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_connection_parameter_connection_id
+    ON guacamole_connection_parameter(connection_id);
+
+--
+-- Table of sharing profile parameters. Each parameter is simply
+-- name/value pair associated with a sharing profile. These parameters dictate
+-- the restrictions/features which apply to the user joining the associated
+-- connection via the sharing profile.
+--
+
+CREATE TABLE guacamole_sharing_profile_parameter (
+
+  sharing_profile_id integer       NOT NULL,
+  parameter_name     varchar(128)  NOT NULL,
+  parameter_value    varchar(4096) NOT NULL,
+
+  PRIMARY KEY (sharing_profile_id, parameter_name),
+
+  CONSTRAINT guacamole_sharing_profile_parameter_ibfk_1
+    FOREIGN KEY (sharing_profile_id)
+    REFERENCES guacamole_sharing_profile (sharing_profile_id) ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_sharing_profile_parameter_sharing_profile_id
+    ON guacamole_sharing_profile_parameter(sharing_profile_id);
+
+--
+-- Table of arbitrary user attributes. Each attribute is simply a name/value
+-- pair associated with a user. Arbitrary attributes are defined by other
+-- extensions. Attributes defined by this extension will be mapped to
+-- properly-typed columns of a specific table.
+--
+
+CREATE TABLE guacamole_user_attribute (
+
+  user_id         integer       NOT NULL,
+  attribute_name  varchar(128)  NOT NULL,
+  attribute_value varchar(4096) NOT NULL,
+
+  PRIMARY KEY (user_id, attribute_name),
+
+  CONSTRAINT guacamole_user_attribute_ibfk_1
+    FOREIGN KEY (user_id)
+    REFERENCES guacamole_user (user_id) ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_user_attribute_user_id
+    ON guacamole_user_attribute(user_id);
+
+--
+-- Table of arbitrary user group attributes. Each attribute is simply a
+-- name/value pair associated with a user group. Arbitrary attributes are
+-- defined by other extensions. Attributes defined by this extension will be
+-- mapped to properly-typed columns of a specific table.
+--
+
+CREATE TABLE guacamole_user_group_attribute (
+
+  user_group_id   integer       NOT NULL,
+  attribute_name  varchar(128)  NOT NULL,
+  attribute_value varchar(4096) NOT NULL,
+
+  PRIMARY KEY (user_group_id, attribute_name),
+
+  CONSTRAINT guacamole_user_group_attribute_ibfk_1
+    FOREIGN KEY (user_group_id)
+    REFERENCES guacamole_user_group (user_group_id) ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_user_group_attribute_user_group_id
+    ON guacamole_user_group_attribute(user_group_id);
+
+--
+-- Table of arbitrary connection attributes. Each attribute is simply a
+-- name/value pair associated with a connection. Arbitrary attributes are
+-- defined by other extensions. Attributes defined by this extension will be
+-- mapped to properly-typed columns of a specific table.
+--
+
+CREATE TABLE guacamole_connection_attribute (
+
+  connection_id   integer       NOT NULL,
+  attribute_name  varchar(128)  NOT NULL,
+  attribute_value varchar(4096) NOT NULL,
+
+  PRIMARY KEY (connection_id, attribute_name),
+
+  CONSTRAINT guacamole_connection_attribute_ibfk_1
+    FOREIGN KEY (connection_id)
+    REFERENCES guacamole_connection (connection_id) ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_connection_attribute_connection_id
+    ON guacamole_connection_attribute(connection_id);
+
+--
+-- Table of arbitrary connection group attributes. Each attribute is simply a
+-- name/value pair associated with a connection group. Arbitrary attributes are
+-- defined by other extensions. Attributes defined by this extension will be
+-- mapped to properly-typed columns of a specific table.
+--
+
+CREATE TABLE guacamole_connection_group_attribute (
+
+  connection_group_id integer       NOT NULL,
+  attribute_name      varchar(128)  NOT NULL,
+  attribute_value     varchar(4096) NOT NULL,
+
+  PRIMARY KEY (connection_group_id, attribute_name),
+
+  CONSTRAINT guacamole_connection_group_attribute_ibfk_1
+    FOREIGN KEY (connection_group_id)
+    REFERENCES guacamole_connection_group (connection_group_id) ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_connection_group_attribute_connection_group_id
+    ON guacamole_connection_group_attribute(connection_group_id);
+
+--
+-- Table of arbitrary sharing profile attributes. Each attribute is simply a
+-- name/value pair associated with a sharing profile. Arbitrary attributes are
+-- defined by other extensions. Attributes defined by this extension will be
+-- mapped to properly-typed columns of a specific table.
+--
+
+CREATE TABLE guacamole_sharing_profile_attribute (
+
+  sharing_profile_id integer       NOT NULL,
+  attribute_name     varchar(128)  NOT NULL,
+  attribute_value    varchar(4096) NOT NULL,
+
+  PRIMARY KEY (sharing_profile_id, attribute_name),
+
+  CONSTRAINT guacamole_sharing_profile_attribute_ibfk_1
+    FOREIGN KEY (sharing_profile_id)
+    REFERENCES guacamole_sharing_profile (sharing_profile_id) ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_sharing_profile_attribute_sharing_profile_id
+    ON guacamole_sharing_profile_attribute(sharing_profile_id);
+
+--
+-- Table of connection permissions. Each connection permission grants a user or
+-- user group specific access to a connection.
+--
+
+CREATE TABLE guacamole_connection_permission (
+
+  entity_id     integer NOT NULL,
+  connection_id integer NOT NULL,
+  permission    guacamole_object_permission_type NOT NULL,
+
+  PRIMARY KEY (entity_id, connection_id, permission),
+
+  CONSTRAINT guacamole_connection_permission_ibfk_1
+    FOREIGN KEY (connection_id)
+    REFERENCES guacamole_connection (connection_id) ON DELETE CASCADE,
+
+  CONSTRAINT guacamole_connection_permission_entity
+    FOREIGN KEY (entity_id)
+    REFERENCES guacamole_entity (entity_id) ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_connection_permission_connection_id
+    ON guacamole_connection_permission(connection_id);
+
+CREATE INDEX guacamole_connection_permission_entity_id
+    ON guacamole_connection_permission(entity_id);
+
+--
+-- Table of connection group permissions. Each group permission grants a user
+-- or user group specific access to a connection group.
+--
+
+CREATE TABLE guacamole_connection_group_permission (
+
+  entity_id           integer NOT NULL,
+  connection_group_id integer NOT NULL,
+  permission          guacamole_object_permission_type NOT NULL,
+
+  PRIMARY KEY (entity_id, connection_group_id, permission),
+
+  CONSTRAINT guacamole_connection_group_permission_ibfk_1
+    FOREIGN KEY (connection_group_id)
+    REFERENCES guacamole_connection_group (connection_group_id) ON DELETE CASCADE,
+
+  CONSTRAINT guacamole_connection_group_permission_entity
+    FOREIGN KEY (entity_id)
+    REFERENCES guacamole_entity (entity_id) ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_connection_group_permission_connection_group_id
+    ON guacamole_connection_group_permission(connection_group_id);
+
+CREATE INDEX guacamole_connection_group_permission_entity_id
+    ON guacamole_connection_group_permission(entity_id);
+
+--
+-- Table of sharing profile permissions. Each sharing profile permission grants
+-- a user or user group specific access to a sharing profile.
+--
+
+CREATE TABLE guacamole_sharing_profile_permission (
+
+  entity_id          integer NOT NULL,
+  sharing_profile_id integer NOT NULL,
+  permission         guacamole_object_permission_type NOT NULL,
+
+  PRIMARY KEY (entity_id, sharing_profile_id, permission),
+
+  CONSTRAINT guacamole_sharing_profile_permission_ibfk_1
+    FOREIGN KEY (sharing_profile_id)
+    REFERENCES guacamole_sharing_profile (sharing_profile_id) ON DELETE CASCADE,
+
+  CONSTRAINT guacamole_sharing_profile_permission_entity
+    FOREIGN KEY (entity_id)
+    REFERENCES guacamole_entity (entity_id) ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_sharing_profile_permission_sharing_profile_id
+    ON guacamole_sharing_profile_permission(sharing_profile_id);
+
+CREATE INDEX guacamole_sharing_profile_permission_entity_id
+    ON guacamole_sharing_profile_permission(entity_id);
+
+--
+-- Table of system permissions. Each system permission grants a user or user
+-- group a system-level privilege of some kind.
+--
+
+CREATE TABLE guacamole_system_permission (
+
+  entity_id  integer NOT NULL,
+  permission guacamole_system_permission_type NOT NULL,
+
+  PRIMARY KEY (entity_id, permission),
+
+  CONSTRAINT guacamole_system_permission_entity
+    FOREIGN KEY (entity_id)
+    REFERENCES guacamole_entity (entity_id) ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_system_permission_entity_id
+    ON guacamole_system_permission(entity_id);
+
+--
+-- Table of user permissions. Each user permission grants a user or user group
+-- access to another user (the "affected" user) for a specific type of
+-- operation.
+--
+
+CREATE TABLE guacamole_user_permission (
+
+  entity_id        integer NOT NULL,
+  affected_user_id integer NOT NULL,
+  permission       guacamole_object_permission_type NOT NULL,
+
+  PRIMARY KEY (entity_id, affected_user_id, permission),
+
+  CONSTRAINT guacamole_user_permission_ibfk_1
+    FOREIGN KEY (affected_user_id)
+    REFERENCES guacamole_user (user_id) ON DELETE CASCADE,
+
+  CONSTRAINT guacamole_user_permission_entity
+    FOREIGN KEY (entity_id)
+    REFERENCES guacamole_entity (entity_id) ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_user_permission_affected_user_id
+    ON guacamole_user_permission(affected_user_id);
+
+CREATE INDEX guacamole_user_permission_entity_id
+    ON guacamole_user_permission(entity_id);
+
+--
+-- Table of user group permissions. Each user group permission grants a user
+-- or user group access to a another user group (the "affected" user group) for
+-- a specific type of operation.
+--
+
+CREATE TABLE guacamole_user_group_permission (
+
+  entity_id              integer NOT NULL,
+  affected_user_group_id integer NOT NULL,
+  permission             guacamole_object_permission_type NOT NULL,
+
+  PRIMARY KEY (entity_id, affected_user_group_id, permission),
+
+  CONSTRAINT guacamole_user_group_permission_affected_user_group
+    FOREIGN KEY (affected_user_group_id)
+    REFERENCES guacamole_user_group (user_group_id) ON DELETE CASCADE,
+
+  CONSTRAINT guacamole_user_group_permission_entity
+    FOREIGN KEY (entity_id)
+    REFERENCES guacamole_entity (entity_id) ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_user_group_permission_affected_user_group_id
+    ON guacamole_user_group_permission(affected_user_group_id);
+
+CREATE INDEX guacamole_user_group_permission_entity_id
+    ON guacamole_user_group_permission(entity_id);
+
+--
+-- Table of connection history records. Each record defines a specific user's
+-- session, including the connection used, the start time, and the end time
+-- (if any).
+--
+
+CREATE TABLE guacamole_connection_history (
+
+  history_id           serial       NOT NULL,
+  user_id              integer      DEFAULT NULL,
+  username             varchar(128) NOT NULL,
+  remote_host          varchar(256) DEFAULT NULL,
+  connection_id        integer      DEFAULT NULL,
+  connection_name      varchar(128) NOT NULL,
+  sharing_profile_id   integer      DEFAULT NULL,
+  sharing_profile_name varchar(128) DEFAULT NULL,
+  start_date           timestamptz  NOT NULL,
+  end_date             timestamptz  DEFAULT NULL,
+
+  PRIMARY KEY (history_id),
+
+  CONSTRAINT guacamole_connection_history_ibfk_1
+    FOREIGN KEY (user_id)
+    REFERENCES guacamole_user (user_id) ON DELETE SET NULL,
+
+  CONSTRAINT guacamole_connection_history_ibfk_2
+    FOREIGN KEY (connection_id)
+    REFERENCES guacamole_connection (connection_id) ON DELETE SET NULL,
+
+  CONSTRAINT guacamole_connection_history_ibfk_3
+    FOREIGN KEY (sharing_profile_id)
+    REFERENCES guacamole_sharing_profile (sharing_profile_id) ON DELETE SET NULL
+
+);
+
+CREATE INDEX guacamole_connection_history_user_id
+    ON guacamole_connection_history(user_id);
+
+CREATE INDEX guacamole_connection_history_connection_id
+    ON guacamole_connection_history(connection_id);
+
+CREATE INDEX guacamole_connection_history_sharing_profile_id
+    ON guacamole_connection_history(sharing_profile_id);
+
+CREATE INDEX guacamole_connection_history_start_date
+    ON guacamole_connection_history(start_date);
+
+CREATE INDEX guacamole_connection_history_end_date
+    ON guacamole_connection_history(end_date);
+
+CREATE INDEX guacamole_connection_history_connection_id_start_date
+    ON guacamole_connection_history(connection_id, start_date);
+
+--
+-- User login/logout history
+--
+
+CREATE TABLE guacamole_user_history (
+
+  history_id           serial       NOT NULL,
+  user_id              integer      DEFAULT NULL,
+  username             varchar(128) NOT NULL,
+  remote_host          varchar(256) DEFAULT NULL,
+  start_date           timestamptz  NOT NULL,
+  end_date             timestamptz  DEFAULT NULL,
+
+  PRIMARY KEY (history_id),
+
+  CONSTRAINT guacamole_user_history_ibfk_1
+    FOREIGN KEY (user_id)
+    REFERENCES guacamole_user (user_id) ON DELETE SET NULL
+
+);
+
+CREATE INDEX guacamole_user_history_user_id
+    ON guacamole_user_history(user_id);
+
+CREATE INDEX guacamole_user_history_start_date
+    ON guacamole_user_history(start_date);
+
+CREATE INDEX guacamole_user_history_end_date
+    ON guacamole_user_history(end_date);
+
+CREATE INDEX guacamole_user_history_user_id_start_date
+    ON guacamole_user_history(user_id, start_date);
+
+--
+-- User password history
+--
+
+CREATE TABLE guacamole_user_password_history (
+
+  password_history_id serial  NOT NULL,
+  user_id             integer NOT NULL,
+
+  -- Salted password
+  password_hash bytea        NOT NULL,
+  password_salt bytea,
+  password_date timestamptz  NOT NULL,
+
+  PRIMARY KEY (password_history_id),
+
+  CONSTRAINT guacamole_user_password_history_ibfk_1
+    FOREIGN KEY (user_id)
+    REFERENCES guacamole_user (user_id) ON DELETE CASCADE
+
+);
+
+CREATE INDEX guacamole_user_password_history_user_id
+    ON guacamole_user_password_history(user_id);
+
+--
+-- Licensed to the Apache Software Foundation (ASF) under one
+-- or more contributor license agreements.  See the NOTICE file
+-- distributed with this work for additional information
+-- regarding copyright ownership.  The ASF licenses this file
+-- to you under the Apache License, Version 2.0 (the
+-- "License"); you may not use this file except in compliance
+-- with the License.  You may obtain a copy of the License at
+--
+--   http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing,
+-- software distributed under the License is distributed on an
+-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+-- KIND, either express or implied.  See the License for the
+-- specific language governing permissions and limitations
+-- under the License.
+--
+
+-- Create default user "guacadmin" with password "guacadmin"
+INSERT INTO guacamole_entity (name, type) VALUES ('guacadmin', 'USER');
+INSERT INTO guacamole_user (entity_id, password_hash, password_salt, password_date)
+SELECT
+    entity_id,
+    decode('CA458A7D494E3BE824F5E1E175A1556C0F8EEF2C2D7DF3633BEC4A29C4411960', 'hex'),  -- 'guacadmin'
+    decode('FE24ADC5E11E2B25288D1704ABE67A79E342ECC26064CE69C5B3177795A82264', 'hex'),
+    CURRENT_TIMESTAMP
+FROM guacamole_entity WHERE name = 'guacadmin' AND guacamole_entity.type = 'USER';
+
+-- Grant this user all system permissions
+INSERT INTO guacamole_system_permission (entity_id, permission)
+SELECT entity_id, permission::guacamole_system_permission_type
+FROM (
+    VALUES
+        ('guacadmin', 'CREATE_CONNECTION'),
+        ('guacadmin', 'CREATE_CONNECTION_GROUP'),
+        ('guacadmin', 'CREATE_SHARING_PROFILE'),
+        ('guacadmin', 'CREATE_USER'),
+        ('guacadmin', 'CREATE_USER_GROUP'),
+        ('guacadmin', 'ADMINISTER')
+) permissions (username, permission)
+JOIN guacamole_entity ON permissions.username = guacamole_entity.name AND guacamole_entity.type = 'USER';
+
+-- Grant admin permission to read/update/administer self
+INSERT INTO guacamole_user_permission (entity_id, affected_user_id, permission)
+SELECT guacamole_entity.entity_id, guacamole_user.user_id, permission::guacamole_object_permission_type
+FROM (
+    VALUES
+        ('guacadmin', 'guacadmin', 'READ'),
+        ('guacadmin', 'guacadmin', 'UPDATE'),
+        ('guacadmin', 'guacadmin', 'ADMINISTER')
+) permissions (username, affected_username, permission)
+JOIN guacamole_entity          ON permissions.username = guacamole_entity.name AND guacamole_entity.type = 'USER'
+JOIN guacamole_entity affected ON permissions.affected_username = affected.name AND guacamole_entity.type = 'USER'
+JOIN guacamole_user            ON guacamole_user.entity_id = affected.entity_id;

examples/overleaf/docker-compose.yml

@@ -14,8 +14,9 @@ services:
         links:
             - mongo
             - redis
+        stop_grace_period: 60s
         volumes:
-            - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/sharelatex/data:/var/lib/sharelatex
+            - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/sharelatex/data:/var/lib/overleaf
             ########################################################################
             ####  Server Pro: Uncomment the following line to mount the docker  ####
             ####             socket, required for Sibling Containers to work    ####
@@ -23,12 +24,12 @@ services:
             # - /var/run/docker.sock:/var/run/docker.sock
         environment:
 
-            SHARELATEX_APP_NAME: Overleaf Community Edition
-            SHARELATEX_MONGO_URL: mongodb://mongo/sharelatex
+            OVERLEAF_APP_NAME: Overleaf Community Edition
+            OVERLEAF_MONGO_URL: mongodb://mongo/sharelatex
 
             # Same property, unfortunately with different names in
             # different locations
-            SHARELATEX_REDIS_HOST: redis
+            OVERLEAF_REDIS_HOST: redis
             REDIS_HOST: redis
 
             ENABLED_LINKED_FILE_TYPES: 'project_file,project_output_file'
@@ -46,29 +47,31 @@ services:
             ## Set for SSL via nginx-proxy
             #VIRTUAL_HOST: 103.112.212.22
 
-            # SHARELATEX_SITE_URL: http://sharelatex.mydomain.com
-            # SHARELATEX_NAV_TITLE: Our ShareLaTeX Instance
-            # SHARELATEX_HEADER_IMAGE_URL: http://somewhere.com/mylogo.png
-            # SHARELATEX_ADMIN_EMAIL: support@it.com
+            # OVERLEAF_SITE_URL: http://overleaf.example.com
+            # OVERLEAF_NAV_TITLE: Overleaf Community Edition
+            # OVERLEAF_HEADER_IMAGE_URL: http://example.com/mylogo.png
+            # OVERLEAF_ADMIN_EMAIL: support@it.com
 
-            # SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by <a href=\"https://www.sharelatex.com\">ShareLaTeX</a> 2016"},{"text": "Another page I want to link to can be found <a href=\"here\">here</a>"} ]'
-            # SHARELATEX_RIGHT_FOOTER: '[{"text": "Hello I am on the Right"} ]'
+            # OVERLEAF_LEFT_FOOTER: '[{"text": "Another page I want to link to can be found <a href=\"here\">here</a>"} ]'
+            # OVERLEAF_RIGHT_FOOTER: '[{"text": "Hello I am on the Right"} ]'
 
-            # SHARELATEX_EMAIL_FROM_ADDRESS: "team@sharelatex.com"
+            # OVERLEAF_EMAIL_FROM_ADDRESS: "hello@example.com"
 
-            # SHARELATEX_EMAIL_AWS_SES_ACCESS_KEY_ID:
-            # SHARELATEX_EMAIL_AWS_SES_SECRET_KEY:
+            # OVERLEAF_EMAIL_AWS_SES_ACCESS_KEY_ID:
+            # OVERLEAF_EMAIL_AWS_SES_SECRET_KEY:
 
-            # SHARELATEX_EMAIL_SMTP_HOST: smtp.mydomain.com
-            # SHARELATEX_EMAIL_SMTP_PORT: 587
-            # SHARELATEX_EMAIL_SMTP_SECURE: false
-            # SHARELATEX_EMAIL_SMTP_USER:
-            # SHARELATEX_EMAIL_SMTP_PASS:
-            # SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true
-            # SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false
-            # SHARELATEX_EMAIL_SMTP_NAME: '127.0.0.1'
-            # SHARELATEX_EMAIL_SMTP_LOGGER: true
-            # SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by department x"
+            # OVERLEAF_EMAIL_SMTP_HOST: smtp.example.com
+            # OVERLEAF_EMAIL_SMTP_PORT: 587
+            # OVERLEAF_EMAIL_SMTP_SECURE: false
+            # OVERLEAF_EMAIL_SMTP_USER:
+            # OVERLEAF_EMAIL_SMTP_PASS:
+            # OVERLEAF_EMAIL_SMTP_TLS_REJECT_UNAUTH: true
+            # OVERLEAF_EMAIL_SMTP_IGNORE_TLS: false
+            # OVERLEAF_EMAIL_SMTP_NAME: '127.0.0.1'
+            # OVERLEAF_EMAIL_SMTP_LOGGER: true
+            # OVERLEAF_CUSTOM_EMAIL_FOOTER: "This system is run by department x"
+
+            # ENABLE_CRON_RESOURCE_DELETION: true
 
             ################
             ## Server Pro ##
@@ -82,25 +85,25 @@ services:
             # DOCKER_RUNNER: 'false'
 
             ## Works with test LDAP server shown at bottom of docker compose
-            # SHARELATEX_LDAP_URL: 'ldap://ldap:389'
-            # SHARELATEX_LDAP_SEARCH_BASE: 'ou=people,dc=planetexpress,dc=com'
-            # SHARELATEX_LDAP_SEARCH_FILTER: '(uid={{username}})'
-            # SHARELATEX_LDAP_BIND_DN: 'cn=admin,dc=planetexpress,dc=com'
-            # SHARELATEX_LDAP_BIND_CREDENTIALS: 'GoodNewsEveryone'
-            # SHARELATEX_LDAP_EMAIL_ATT: 'mail'
-            # SHARELATEX_LDAP_NAME_ATT: 'cn'
-            # SHARELATEX_LDAP_LAST_NAME_ATT: 'sn'
-            # SHARELATEX_LDAP_UPDATE_USER_DETAILS_ON_LOGIN: 'true'
+            # OVERLEAF_LDAP_URL: 'ldap://ldap:389'
+            # OVERLEAF_LDAP_SEARCH_BASE: 'ou=people,dc=planetexpress,dc=com'
+            # OVERLEAF_LDAP_SEARCH_FILTER: '(uid={{username}})'
+            # OVERLEAF_LDAP_BIND_DN: 'cn=admin,dc=planetexpress,dc=com'
+            # OVERLEAF_LDAP_BIND_CREDENTIALS: 'GoodNewsEveryone'
+            # OVERLEAF_LDAP_EMAIL_ATT: 'mail'
+            # OVERLEAF_LDAP_NAME_ATT: 'cn'
+            # OVERLEAF_LDAP_LAST_NAME_ATT: 'sn'
+            # OVERLEAF_LDAP_UPDATE_USER_DETAILS_ON_LOGIN: 'true'
 
-            # SHARELATEX_TEMPLATES_USER_ID: "578773160210479700917ee5"
-            # SHARELATEX_NEW_PROJECT_TEMPLATE_LINKS: '[ {"name":"All Templates","url":"/templates/all"}]'
+            # OVERLEAF_TEMPLATES_USER_ID: "578773160210479700917ee5"
+            # OVERLEAF_NEW_PROJECT_TEMPLATE_LINKS: '[ {"name":"All Templates","url":"/templates/all"}]'
 
 
-            # SHARELATEX_PROXY_LEARN: "true"
+            # OVERLEAF_PROXY_LEARN: "true"
 
     mongo:
         restart: always
-        image: mongo:4.4
+        image: mongo:5.0
         container_name: sharelatex-mongo
         expose:
             - 27017
@@ -114,7 +117,7 @@ services:
 
     redis:
         restart: always
-        image: redis:5
+        image: redis:6.2-alpine
         container_name: sharelatex-redis
         expose:
             - 6379

examples/papermerge/README.md

@@ -2,3 +2,7 @@
 
 - https://github.com/ciur/papermerge/blob/master/docker/docker-compose.yml
 - https://hub.docker.com/r/linuxserver/papermerge (deprecated)
+
+# Notes
+
+Default login is `admin:admin`

examples/papermerge/docker-compose.yml

@@ -0,0 +1,85 @@
+version: '3.7'
+
+services:
+
+  app:
+    image: eugenci/papermerge:2.0.0
+    container_name: papermerge-app
+    restart: unless-stopped
+    expose:
+      - 8000
+    ports:
+      - 8888:8000
+    depends_on:
+      - db
+      - redis
+      - worker
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/papermerge/media_root:/opt/media
+    environment:
+      - DJANGO_SETTINGS_MODULE=config.settings.production
+      - POSTGRES_USER=dbuser
+      - POSTGRES_PASSWORD=dbpass
+      - POSTGRES_DB=dbname
+      - POSTGRES_HOST=db
+      - POSTGRES_PORT=5432
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.papermerge.rule=Host(`papermerge.example.com`)
+    #  - traefik.http.services.papermerge.loadbalancer.server.port=8000
+    #  # Optional part for file upload max sizes
+    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.papermerge.middlewares=local-ipwhitelist@file,authelia@docker      
+
+  db:
+    image: postgres:12.3-alpine
+    container_name: papermerge-db
+    restart: unless-stopped
+    expose:
+      - 5432
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/papermerge/psql-data:/var/lib/postgresql/data/
+    environment:
+      - POSTGRES_USER=dbuser
+      - POSTGRES_PASSWORD=dbpass
+      - POSTGRES_DB=dbname
+    #networks:
+    #  - proxy
+
+  redis:
+    container_name: papermerge-redis
+    image: redis:6-alpine
+    restart: unless-stopped
+    expose:
+      - 6379
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/papermerge/redis-data:/data
+    #networks:
+    #  - proxy
+
+  worker:
+    image: eugenci/papermerge-worker:v2.0.0
+    container_name: papermerge-worker
+    restart: unless-stopped
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/papermerge/media_root:/opt/media
+    environment:
+      - DJANGO_SETTINGS_MODULE=config.settings.production
+      - POSTGRES_USER=dbuser
+      - POSTGRES_PASSWORD=dbpass
+      - POSTGRES_DB=dbname
+      - POSTGRES_HOST=db
+      - POSTGRES_PORT=5432
+    #networks:
+    #  - proxy
+
+#networks:
+#  proxy:
+#    external: true      

examples/traefik/fileConfig.yml

@@ -58,7 +58,7 @@ http:
           Server: "" # prevent version disclosure
           X-Powered-By: "" # prevent version disclosure
           X-Forwarded-Proto: "https"
-          #Permissions-Policy: "geolocation=(self), midi=(self), camera=(self), usb=(self), magnetometer=(self), accelerometer=(self), gyroscope=(self), microphone=(self)"
+          #Permissions-Policy: "accelerometer=(), autoplay=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
           #Cross-Origin-Embedder-Policy: "unsafe-none"
           #Cross-Origin-Opener-Policy: "same-origin"
           #Cross-Origin-Resource-Policy: "same-site"
@@ -76,7 +76,7 @@ http:
         stsIncludeSubdomains: true # HTTP-Strict-Transport-Security (HSTS)
         stsSeconds: 63072000 # HTTP-Strict-Transport-Security (HSTS)
         stsPreload: true # HTTP-Strict-Transport-Security (HSTS)
-        #contentSecurityPolicy: "block-all-mixed-content" # Content-Security-Policy (CSP)
+        #contentSecurityPolicy: "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content" # Content-Security-Policy (CSP)
 
     # Authelia guard
     authelia:

examples/vaultwarden/docker-compose.yml

@@ -37,9 +37,6 @@ services:
     #  - traefik.http.routers.vaultwarden.rule=Host(`bitwarden.example.com`)
     #  - traefik.http.routers.vaultwarden.service=vaultwarden
     #  - traefik.http.services.vaultwarden.loadbalancer.server.port=80
-    #  - traefik.http.routers.vaultwarden-ws.rule=Host(`bitwarden.example.com`) && Path(`/notifications/hub`)
-    #  - traefik.http.routers.vaultwarden-ws.service=vaultwarden-ws
-    #  - traefik.http.services.vaultwarden-ws.loadbalancer.server.port=3012
     #  - traefik.http.routers.vaultwarden-admin.rule=Host(`bitwarden.example.com`) && Path(`/admin`)
     #  - traefik.http.routers.vaultwarden-admin.service=vaultwarden
     #  - traefik.http.services.vaultwarden-admin.loadbalancer.server.port=80

examples/wikijs/docker-compose.yml

@@ -10,13 +10,13 @@ services:
     container_name: wikijs
     restart: unless-stopped
     ports:
-      - 3000:3000 # WEB UI
+      - 8888:3000 # WEB UI
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/wikijs/config:/config
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/wikijs/data:/data
     links:
       - db
-      
+
   db:
     environment:
       - POSTGRES_PASSWORD=MySecureDatabasePassword