{"id":44505962,"url":"https://github.com/itismowgli/corex-pro","last_synced_at":"2026-03-07T11:10:19.249Z","repository":{"id":338165502,"uuid":"1155317229","full_name":"itismowgli/corex-pro","owner":"itismowgli","description":"One script. 14 self-hosted services. Zero cloud dependency. Replaces Google Drive, Photos, Gmail, Bitwarden, Zapier, Vercel \u0026 ChatGPT on Ubuntu 24.04.","archived":false,"fork":false,"pushed_at":"2026-03-02T09:54:29.000Z","size":186,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-02T13:21:35.363Z","etag":null,"topics":["bash","cloudflare-tunnel","data-sovereignty","devops","docker","homelab","homeserver","immich","n8n","nextcloud","ollama","privacy","self-hosted","traefik","ubuntu","vaultwarden"],"latest_commit_sha":null,"homepage":"https://github.com/itismowgli/corex-pro#-quickstart","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/itismowgli.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-11T11:26:29.000Z","updated_at":"2026-03-02T09:54:17.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/itismowgli/corex-pro","commit_stats":null,"previous_names":["itismowgli/corex-pro"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/itismowgli/corex-pro","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itismowgli%2Fcorex-pro","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itismowgli%2Fcorex-pro/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itismowgli%2Fcorex-pro/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itismowgli%2Fcorex-pro/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/itismowgli","download_url":"https://codeload.github.com/itismowgli/corex-pro/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itismowgli%2Fcorex-pro/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30212106,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-07T09:02:10.694Z","status":"ssl_error","status_checked_at":"2026-03-07T09:02:08.429Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash","cloudflare-tunnel","data-sovereignty","devops","docker","homelab","homeserver","immich","n8n","nextcloud","ollama","privacy","self-hosted","traefik","ubuntu","vaultwarden"],"created_at":"2026-02-13T10:23:55.418Z","updated_at":"2026-03-07T11:10:19.232Z","avatar_url":"https://github.com/itismowgli.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/CoreX_Pro-v2.1.1-blue?style=for-the-badge\u0026logo=ubuntu\u0026logoColor=white\" alt=\"Version\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/Ubuntu-24.04_LTS-E95420?style=for-the-badge\u0026logo=ubuntu\u0026logoColor=white\" alt=\"Ubuntu\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/Docker-Compose-2496ED?style=for-the-badge\u0026logo=docker\u0026logoColor=white\" alt=\"Docker\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/License-MIT-green?style=for-the-badge\" alt=\"License\"\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003e\n CoreX Pro - Sovereign Hybrid Homelab\n\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n \u003cstrong\u003e\"Brains on System. Muscle on SSD.\"\u003c/strong\u003e\u003cbr\u003e\n One command. Choose your services. Zero cloud dependency. Full data sovereignty.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"#-quickstart\"\u003eQuickstart\u003c/a\u003e •\n \u003ca href=\"#-what-you-get\"\u003eWhat You Get\u003c/a\u003e •\n \u003ca href=\"#-architecture\"\u003eArchitecture\u003c/a\u003e •\n \u003ca href=\"#-services--use-cases\"\u003eServices\u003c/a\u003e •\n \u003ca href=\"#-post-install-guide\"\u003ePost-Install\u003c/a\u003e •\n \u003ca href=\"#-managing-services\"\u003eManaging Services\u003c/a\u003e •\n \u003ca href=\"#-backup--restore\"\u003eBackup\u003c/a\u003e •\n \u003ca href=\"#-uninstall--rollback\"\u003eUninstall\u003c/a\u003e •\n \u003ca href=\"#-troubleshooting\"\u003eTroubleshooting\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n## 🤔 Why CoreX Pro?\n\nYou use Google Drive, Google Photos, Gmail, Bitwarden, Zapier, Vercel, ChatGPT, and a dozen other cloud services. You pay monthly for each, your data lives on someone else's servers, and you're one policy change away from losing access to your own files.\n\nCoreX Pro replaces all of them with self-hosted alternatives running on a single machine in your home. One command sets up everything — encrypted, backed up, accessible from anywhere via Cloudflare Tunnel. You choose exactly which services to install.\n\n**Who is this for?**\n\n- Developers who want a home server but don't want to spend weeks configuring it\n- Privacy-conscious users who want to own their data\n- Small teams that need shared infrastructure without SaaS costs\n- Tinkerers who want a solid foundation to build on\n\n**What you need:**\n\n- A machine running **Ubuntu 24.04 LTS Server** (mini PC, old laptop, NUC, or dedicated server)\n- **8GB+ RAM** (16GB recommended for AI services)\n- An **external SSD** (500GB minimum, 1TB recommended)\n- A **domain name** with DNS managed via Cloudflare (free tier works) — or run in local-only mode without one\n\n---\n\n## ⚡ Quickstart\n\n### One-Line Install (fresh server)\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/itismowgli/corex-pro/main/corex.sh | sudo bash\n```\n\nThis downloads CoreX Pro, launches an **interactive wizard**, and lets you choose exactly which services to install. Takes about 10–15 minutes depending on your internet speed.\n\n### Manual Install\n\n```bash\ngit clone https://github.com/itismowgli/corex-pro.git\ncd corex-pro\nsudo bash corex.sh install\n```\n\n### Interactive Menu (recommended for day-to-day use)\n\n```bash\nsudo bash corex.sh # Shows context-aware menu\n```\n\nThe menu auto-detects whether CoreX is installed and shows relevant options.\n\n### All Commands\n\n```bash\nsudo bash corex.sh install # Install (interactive wizard)\nsudo bash corex.sh doctor # Health check + auto-repair all services\nsudo bash corex.sh manage status # Live status dashboard\nsudo bash corex.sh manage add \u003csvc\u003e # Add a service you skipped during install\nsudo bash corex.sh manage lan-setup # Configure LAN fast-path (full-speed local transfers)\nsudo bash corex.sh update # Pull latest CoreX Pro version\nsudo bash corex.sh migrate # Change domain across all services\nsudo bash corex.sh nuke # Uninstall / rollback\nsudo bash corex.sh help # Full command reference\n```\n\nAfter install, credentials are at `/root/corex-credentials.txt` and a full guide at `/root/CoreX_Dashboard_Credentials.md`.\n\n---\n\n## 📦 What You Get\n\n| Replaces | With | Why Self-Host? |\n| ---------------------- | ------------------------ | -------------------------------------------------------------- |\n| Google Drive / Dropbox | **Nextcloud** | Unlimited storage, no monthly fees, your encryption keys |\n| Google Photos / iCloud | **Immich** | Face recognition, ML search, no storage limits, no AI training |\n| Gmail / Outlook | **Stalwart Mail** | Full email server, no scanning, custom domain |\n| Bitwarden / 1Password | **Vaultwarden** | Zero-knowledge passwords, family sharing, free |\n| Zapier / Make | **n8n** | Unlimited automations, no per-task pricing |\n| Vercel / Netlify | **Coolify** | Deploy any app, no vendor lock-in |\n| ChatGPT / Claude API | **Ollama + Open WebUI** | Local LLMs, zero API costs, full privacy |\n| Time Machine + NAS | **SMB via Docker** | Encrypted macOS backups to your own hardware |\n| UptimeRobot | **Uptime Kuma** | Beautiful status pages, unlimited monitors |\n| Datadog / New Relic | **Grafana + Prometheus** | Full observability, no per-host pricing |\n| Cloudflare Access | **Cloudflare Tunnel** | Zero port-forwarding, encrypted tunnel |\n| Pi-hole | **AdGuard Home** | DNS-level ad blocking + DNS rewrites for local routing |\n\n---\n\n## 🏗 Architecture\n\n```\n┌─ INTERNET ──────────────────────────────────────────────────┐\n│ Cloudflare Tunnel (encrypted, zero port-forwarding) │\n├─ SECURITY ──────────────────────────────────────────────────┤\n│ UFW → CrowdSec (community IPS) → Fail2ban (SSH jail) │\n│ SSH on custom port + kernel hardening + auto-updates │\n├─ DNS \u0026 ROUTING ─────────────────────────────────────────────┤\n│ AdGuard Home (DNS + ad blocking + local DNS rewrites) │\n│ Traefik v3 (HTTPS termination, Let's Encrypt, auto-certs) │\n├─ SERVICES ──────────────────────────────────────────────────┤\n│ 14 optional Docker containers on isolated networks │\n│ You choose which ones to install — nothing forced │\n├─ BACKUP ────────────────────────────────────────────────────┤\n│ Restic (encrypted, deduplicated, daily at 3AM) │\n├─ STORAGE ───────────────────────────────────────────────────┤\n│ Local Disk: OS + Docker Engine (the \"Brain\") │\n│ External SSD: All data, configs, backups (the \"Muscle\") │\n└─────────────────────────────────────────────────────────────┘\n```\n\n### Network Isolation\n\nServices are deployed across three isolated Docker networks:\n\n- **`proxy-net`** - All web-facing services + Traefik + Cloudflare Tunnel\n- **`monitoring-net`** - Prometheus + Grafana + exporters (no internet access)\n- **`ai-net`** - Ollama + Open WebUI + Browserless (sandboxed)\n\n### Storage Strategy\n\nCoreX separates the \"brain\" (OS + Docker engine on local disk) from the \"muscle\" (all data on external SSD). This means:\n\n- **Fast boot**: OS disk is lean, no large data volumes\n- **Easy migration**: Unplug SSD, plug into new machine, restore\n- **Clean backups**: Everything worth backing up is on one mount point\n- **SSD failure isolation**: OS survives if SSD dies, and vice versa\n\n```\nExternal SSD (/dev/sdX)\n├── Partition 1 (optional) → /mnt/timemachine # macOS Time Machine\n└── Partition 2 → /mnt/corex-data # Everything else\n ├── docker-configs/ # docker-compose.yml per service\n │ ├── traefik/\n │ ├── nextcloud/\n │ ├── immich/\n │ └── ...\n ├── service-data/ # Persistent data\n │ ├── nextcloud-html/\n │ ├── immich-upload/\n │ ├── vaultwarden/\n │ ├── ollama/ # Downloaded LLM models\n │ └── ...\n └── backups/\n └── restic-repo/ # Encrypted backup snapshots\n```\n\n### Plugin-Style Extensibility\n\nEvery service is a self-contained module in `lib/services/`. Adding a new service to CoreX requires only dropping one file:\n\n```\nlib/services/gitea.sh ← drop this file, that's it\n```\n\nThe wizard, `corex doctor`, and `corex manage` automatically discover and support it. No changes to any other file required.\n\n---\n\n## 🧰 Services \u0026 Use Cases\n\n### 🔀 Traefik - Reverse Proxy \u0026 TLS\n\n**What:** Automatic HTTPS for all services. Routes `*.yourdomain.com` to the right container.\n\n**How it works:** Watches Docker socket for containers with `traefik.enable=true` labels, automatically creates routes, gets Let's Encrypt certificates via TLS-ALPN-01 challenge.\n\n**Access:** `http://YOUR_IP:8080` (dashboard)\n\n---\n\n### 🛡 AdGuard Home - DNS \u0026 Ad Blocking\n\n**What:** Network-wide DNS server that blocks ads, trackers, and malware domains. Also serves as your local DNS for routing `*.yourdomain.com` directly to your server's LAN IP — bypassing Cloudflare for full-speed local transfers.\n\n**LAN fast-path setup (automated):**\n```bash\nsudo bash corex.sh manage lan-setup\n```\nAutomatically adds the wildcard DNS rewrite `*.yourdomain.com → SERVER_IP` via the AdGuard API and prints per-device/router DNS configuration instructions.\n\n**Access:** `http://YOUR_IP:3000`\n\n---\n\n### 🐳 Portainer - Docker Management\n\n**What:** Web UI for managing Docker containers, images, volumes, and networks. View logs, restart services, monitor resources — all from a browser.\n\n**Access:** `https://YOUR_IP:9443`\n\n---\n\n### ☁️ Nextcloud - File Storage \u0026 Sync\n\n**What:** Self-hosted Google Drive / Dropbox. File sync, calendar, contacts, notes, video calls, kanban boards.\n\n**Apps to install after setup:** Calendar, Contacts, Notes, Talk, Deck, Bookmarks\n\n**Access:** `https://nextcloud.yourdomain.com`\n\n---\n\n### 📸 Immich - Photo \u0026 Video Management\n\n**What:** Self-hosted Google Photos. AI-powered face recognition, smart search, automatic mobile backup. Downloads ~1GB of ML models on first start.\n\n**Access:** `https://photos.yourdomain.com`\n**Mobile:** [iOS](https://apps.apple.com/app/immich/id1613945652) / [Android](https://play.google.com/store/apps/details?id=app.alextran.immich)\n\n---\n\n### 🔐 Vaultwarden - Password Manager\n\n**What:** Lightweight, self-hosted Bitwarden server. Works with all official Bitwarden clients.\n\n**Important:** Disable signups after creating your accounts (`SIGNUPS_ALLOWED: \"false\"`).\n\n**Access:** `https://vault.yourdomain.com` / Admin: `https://vault.yourdomain.com/admin`\n\n---\n\n### ✉️ Stalwart Mail - Email Server\n\n**What:** All-in-one email server: SMTP, IMAP, CalDAV, CardDAV. Written in Rust. Admin credentials auto-captured from first-boot logs.\n\n**Note:** Self-hosted email has deliverability challenges. Consider an SMTP relay (SMTP2GO, Mailgun free tier) for outbound mail.\n\n**Access:** `https://mail.yourdomain.com`\n**Ports:** 25 (SMTP), 587 (Submission), 465 (SMTPS), 143 (IMAP), 993 (IMAPS)\n\n---\n\n### 🚀 Coolify - Web Hosting PaaS\n\n**What:** Self-hosted Vercel / Netlify / Heroku. Deploy web apps with git push, managed databases, preview deployments.\n\n**Note:** Installs via a helper script (separate from CoreX Traefik to avoid port conflicts).\n\n**Access:** `http://YOUR_IP:8000`\n\n---\n\n### ⚡ n8n - Workflow Automation\n\n**What:** Self-hosted Zapier / Make.com. Visual workflow builder with 400+ integrations. AI agent workflows work with Ollama.\n\n**Access:** `https://n8n.yourdomain.com`\n\n---\n\n### 💾 Time Machine - macOS Backups\n\n**What:** Network Time Machine server via SMB. Your Mac backs up automatically over Wi-Fi.\n\n**Access:** `smb://YOUR_IP/CoreX_Backup` or auto-discovered in System Settings → Time Machine.\n\n---\n\n### 📊 Uptime Kuma + Grafana + Prometheus - Monitoring\n\n**What:** Uptime Kuma for status pages and alerting (email, Slack, Discord, Telegram) + Grafana + Prometheus for full metrics and dashboards.\n\n**Quick start:** Import Grafana dashboard ID `1860` (Node Exporter Full).\n\n**Access:** Status at `https://status.yourdomain.com` / Grafana at `https://grafana.yourdomain.com`\n\n---\n\n### 🤖 AI Stack - Ollama + Open WebUI + Browserless\n\n**What:** Run LLMs locally with a ChatGPT-like interface + headless Chrome for AI agents. `llama3.2:3b` is pulled automatically.\n\n**Recommended models:**\n\n- `llama3.2:3b` — Fast, good for chat (3GB RAM)\n- `mistral:7b` — Balanced quality/speed (7GB RAM)\n- `codellama:7b` — Coding assistant (7GB RAM)\n\n**Access:** Chat at `https://ai.yourdomain.com` / Ollama API at `http://YOUR_IP:11434`\n\n---\n\n### 🛡 CrowdSec - Community IPS\n\n**What:** Community-powered intrusion prevention. Detects brute force, CVE exploits, and bot abuse. Shares threat intel globally — you block attackers before they target you.\n\n```bash\ndocker exec crowdsec cscli decisions list # View blocked IPs\ndocker exec crowdsec cscli metrics # View detection stats\n```\n\n---\n\n### 🔒 Cloudflare Tunnel - Secure External Access\n\n**What:** Encrypted tunnel from Cloudflare's edge to your server. Zero port forwarding required. DDoS protection and WAF included.\n\n**Critical:** In CF Dashboard → Tunnels → Public Hostnames, use **container names** (e.g., `n8n:5678`), not `localhost`.\n\n---\n\n## 📋 Post-Install Guide\n\nAfter the script completes, follow these steps **in order**:\n\n### 1. AdGuard Home (DNS) - Do This First\n\n1. Open `http://YOUR_IP:3000` and complete the setup wizard\n2. Run the automated LAN fast-path setup — it adds the wildcard DNS rewrite and prints router/device instructions:\n ```bash\n sudo bash corex.sh manage lan-setup\n ```\n3. Set your **router's primary DNS to `YOUR_IP`** (printed at the end of `lan-setup`)\n4. Now all `*.yourdomain.com` lookups from LAN devices resolve to your server — file uploads, photo syncs, and vault access all stay on the local network at full speed, bypassing Cloudflare entirely\n\n### 2. Cloudflare Tunnel (External Access)\n\nIn [Cloudflare Dashboard](https://one.dash.cloudflare.com) → Networks → Tunnels → Public Hostnames, add:\n\n| Hostname | Service | URL |\n| -------------------------- | ------- | -------------------- |\n| `photos.yourdomain.com` | HTTP | `immich-server:2283` |\n| `nextcloud.yourdomain.com` | HTTP | `nextcloud:80` |\n| `vault.yourdomain.com` | HTTP | `vaultwarden:80` |\n| `n8n.yourdomain.com` | HTTP | `n8n:5678` |\n| `mail.yourdomain.com` | HTTP | `stalwart:8080` |\n| `status.yourdomain.com` | HTTP | `uptime-kuma:3001` |\n| `grafana.yourdomain.com` | HTTP | `grafana:3000` |\n| `ai.yourdomain.com` | HTTP | `open-webui:8080` |\n\n\u003e ⚠️ Use **container names**, not `localhost`. Cloudflared runs inside Docker on `proxy-net`. Enable **No TLS Verify** under each hostname's TLS settings.\n\n### 3. Create Admin Accounts\n\nOpen each service immediately — the first visitor becomes admin:\n\n- Portainer: `https://YOUR_IP:9443`\n- Nextcloud: `https://nextcloud.yourdomain.com`\n- Immich: `https://photos.yourdomain.com`\n- Vaultwarden: `https://vault.yourdomain.com`\n- n8n: `https://n8n.yourdomain.com`\n- Uptime Kuma: `https://status.yourdomain.com`\n- Open WebUI: `https://ai.yourdomain.com`\n\n### 4. View All Credentials\n\n```bash\ncat /root/corex-credentials.txt # Quick reference\ncat /root/CoreX_Dashboard_Credentials.md # Full guide with every URL and setup instruction\n```\n\n---\n\n## 🔧 Managing Services\n\nv2.0.0 introduced full post-install service management. v2.1.0 added LAN fast-path automation. No need to re-run the installer to add, fix, or configure services.\n\n### Health Check \u0026 Auto-Repair\n\n```bash\nsudo bash corex.sh doctor\n```\n\nChecks every installed service and automatically repairs any that are unhealthy — without touching data.\n\n```\nCoreX Pro — Service Health\n────────────────────────────────────────────────────\n SERVICE STATUS ACTION\n ──────────────────────────────────────────────────\n traefik HEALTHY\n nextcloud HEALTHY\n immich UNHEALTHY → auto-repairing...\n vaultwarden HEALTHY\n n8n MISSING → run: corex manage add n8n\n```\n\n### Add / Remove Services\n\n```bash\nsudo bash corex.sh manage add stalwart # Add a service skipped during install\nsudo bash corex.sh manage add ai # Add the full AI stack\nsudo bash corex.sh manage remove n8n # Remove (prompts about data deletion)\nsudo bash corex.sh manage list # List all installed + available services\n```\n\n### Update Container Images\n\n```bash\nsudo bash corex.sh manage update --all # Update all installed services\nsudo bash corex.sh manage update nextcloud # Update a specific service\n```\n\n### Start / Stop Without Removing\n\n```bash\nsudo bash corex.sh manage disable immich # Stop container (data preserved)\nsudo bash corex.sh manage enable immich # Start again\n```\n\n### ⚡ LAN Fast-Path (Full-Speed Local Transfers)\n\nWhen your devices use AdGuard (on the CoreX server) as their DNS, `*.yourdomain.com` resolves to the server's **local IP** instead of Cloudflare. File uploads, photo syncs, and vault access all stay entirely on the local network at full LAN speed (~1 Gbps), bypassing the Cloudflare Tunnel.\n\n```bash\nsudo bash corex.sh manage lan-setup\n```\n\nThis command:\n- Automatically adds the wildcard `*.yourdomain.com → SERVER_IP` DNS rewrite in AdGuard via API\n- Prints step-by-step DNS configuration instructions for router, macOS, Windows, iPhone, and Android\n- Includes a verification command to confirm the fast-path is active\n\n**External access** through Cloudflare Tunnel continues to work unchanged for devices off the LAN.\n\n---\n\n## 🔄 Backup \u0026 Restore\n\nCoreX uses [Restic](https://restic.net/) for encrypted, deduplicated, versioned backups.\n\n**What's backed up:** All service data (databases, uploads, mail, photos, configs, compose files).\n\n**What's NOT backed up:** Docker images (re-pulled on restore), the Restic repo itself.\n\n### Commands\n\n```bash\nsudo corex-backup.sh # Manual backup\ntail -20 /var/log/corex-backup.log # View backup log\nsudo corex-restore.sh # Interactive restore (shows all snapshots)\nsudo corex-restore.sh abc123ef # Restore specific snapshot\n```\n\n### Automatic Schedule\n\nBackups run daily at **3:00 AM** via cron. Retention: 7 daily, 4 weekly, 6 monthly snapshots.\n\n### Migrate to New Hardware\n\n```bash\n# On old server\nsudo corex-backup.sh\nrsync -avP /mnt/corex-data/backups/restic-repo/ new-server:/mnt/corex-data/backups/restic-repo/\n\n# On new server (after fresh CoreX install)\nsudo corex-restore.sh latest\n```\n\n---\n\n## 🔒 Security\n\nCoreX implements defense-in-depth:\n\n| Layer | Tool | What It Does |\n| ----------- | ---------------------------- | -------------------------------------------------- |\n| Firewall | UFW | Default deny incoming, explicit per-port allow |\n| SSH | Custom port + max 3 attempts | Moves off port 22, limits brute force |\n| Brute Force | Fail2ban | 3 failures → 24hr IP ban |\n| IPS | CrowdSec | Community threat intel, blocks known attackers |\n| Kernel | sysctl hardening | Anti-spoofing, SYN flood protection, ICMP lockdown |\n| Updates | unattended-upgrades | Automatic security patches daily |\n| Containers | no-new-privileges | Prevents privilege escalation inside containers |\n| DNS | resolv.conf locked | `chattr +i` prevents tampering |\n| TLS | Let's Encrypt via Traefik | Auto-renewed HTTPS certificates |\n| Tunnel | Cloudflare | Zero exposed ports on router, DDoS protection |\n\n### Hardening After Install\n\n```bash\n# 1. Set up SSH keys (from your local machine)\nssh-copy-id -p 2222 your_user@YOUR_IP\n\n# 2. Disable password auth (on the server)\nsudo sed -i 's/^#\\?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config\nsudo systemctl restart sshd\n\n# 3. Disable Vaultwarden signups\n# Edit /mnt/corex-data/docker-configs/vaultwarden/docker-compose.yml\n# Change SIGNUPS_ALLOWED: \"true\" → \"false\"\ncd /mnt/corex-data/docker-configs/vaultwarden \u0026\u0026 docker compose up -d\n```\n\n---\n\n## 🔧 Troubleshooting\n\n### Service won't start / is broken\n\n```bash\n# Auto-detect and repair all unhealthy services\nsudo bash corex.sh doctor\n\n# Or inspect manually\ndocker ps -a | grep SERVICE_NAME\ndocker logs SERVICE_NAME --tail 50\nsudo bash corex.sh manage repair SERVICE_NAME\n```\n\n### 502 Bad Gateway\n\nUsually a Docker network issue. Verify the container is on `proxy-net`:\n\n```bash\ndocker network inspect proxy-net | grep SERVICE_NAME\n# If missing:\nsudo bash corex.sh manage repair SERVICE_NAME\n```\n\n### Cloudflare Tunnel returns 403\n\n- Use **container names** in the service URL (e.g., `n8n:5678` not `localhost:5678`)\n- Enable **No TLS Verify** under each hostname's TLS settings in CF Dashboard\n\n### Time Machine not connecting\n\n```bash\nss -tlnp | grep 445 # Verify SMB is listening\ndocker logs timemachine --tail 20 # Check container logs\n```\n\n### AdGuard not accessible after reboot\n\nAdGuard changes its internal port after the setup wizard (3000 → 80). Fix with:\n\n```bash\nsudo bash corex.sh manage repair adguard\n```\n\n### Prometheus restart loop\n\n```bash\n# Prometheus runs as UID 65534 (nobody) — ownership must match\nsudo chown -R 65534:65534 /mnt/corex-data/service-data/prometheus\nsudo bash corex.sh manage repair monitoring\n```\n\n### Update all containers\n\n```bash\nsudo bash corex.sh manage update --all\n```\n\n---\n\n## 🗺 Port Reference\n\n| Port | Service | Protocol | Exposure |\n| ---------- | ------------------------------- | -------- | -------------------- |\n| 53 | AdGuard Home (DNS) | TCP/UDP | LAN |\n| 80 | Traefik (HTTP → HTTPS redirect) | TCP | Public via CF Tunnel |\n| 443 | Traefik (HTTPS) | TCP | Public via CF Tunnel |\n| 445 | Time Machine (SMB) | TCP | LAN only |\n| 2222 | SSH | TCP | LAN (or VPN) |\n| 2283 | Immich | TCP | Via Traefik |\n| 3000 | AdGuard Home (Admin UI) | TCP | LAN |\n| 3001 | Uptime Kuma | TCP | Via Traefik |\n| 3002 | Grafana | TCP | Via Traefik |\n| 3003 | Open WebUI | TCP | Via Traefik |\n| 3005 | Browserless | TCP | LAN |\n| 5678 | n8n | TCP | Via Traefik |\n| 8000 | Coolify | TCP | LAN |\n| 8080 | Traefik Dashboard | TCP | LAN |\n| 9090 | Prometheus | TCP | Internal |\n| 9443 | Portainer | TCP | LAN |\n| 11434 | Ollama API | TCP | LAN only |\n| 25/587/465 | Stalwart (SMTP) | TCP | Public |\n| 143/993 | Stalwart (IMAP) | TCP | Public |\n\n---\n\n## ⬆️ Upgrading from v1\n\nIf you have a v1 install (no `state.json`), run the installer once — it detects the running Traefik container, reconstructs state from your existing containers, and exits without touching anything:\n\n```bash\nsudo bash corex.sh install\n# → Detected v1 install — migrating to v2 state tracking\n# → Run: sudo bash corex.sh manage status\n```\n\nNo restarts. No data changes. Just state file creation so all v2 management commands work.\n\n---\n\n## 🤝 Contributing\n\nContributions are welcome! The v2 architecture makes adding services easy.\n\n**Adding a new self-hosted service:**\n\n1. Create `lib/services/yourservice.sh` following the module contract\n2. Export metadata vars: `SERVICE_NAME`, `SERVICE_LABEL`, `SERVICE_CATEGORY`, `SERVICE_RAM_MB`\n3. Implement 6 functions: `_dirs`, `_firewall`, `_deploy`, `_destroy`, `_status`, `_repair`\n4. Drop the file — the wizard, doctor, and manage commands discover it automatically\n\n**Before submitting a PR:**\n\n1. Test on a fresh Ubuntu 24.04 LTS Server install\n2. Run `bash -n` on all modified shell files (zero errors policy)\n3. Run `shellcheck` (zero warnings policy)\n4. Add a smoke test in `test/smoke/` for any new service module\n\n---\n\n## 🧹 Uninstall \u0026 Rollback\n\nCoreX Pro comes with a companion nuke script that cleanly reverses everything the installer did.\n\n```bash\n# Interactive - choose what to undo\nsudo bash corex.sh nuke\n\n# Preview what would happen (changes nothing)\nsudo bash corex.sh nuke --dry-run\n\n# Full nuke (still asks for confirmation)\nsudo bash corex.sh nuke --all\n```\n\nThe nuke script has 10 phases - each asks for confirmation. You can selectively undo just containers, just firewall rules, just DNS, etc. Your SSD data is preserved unless you explicitly choose to wipe it (requires typing `WIPE MY DATA`).\n\n**Full documentation:** [NUKE.md](NUKE.md)\n\n---\n\n## 📁 Repo Structure\n\n```\ncorex-pro/\n├── corex.sh # CLI entry point (all commands)\n├── install-corex-master.sh # Thin orchestrator (~200 lines)\n├── corex-manage.sh # Post-install service manager\n├── nuke-corex.sh # Uninstall/rollback (10 phases)\n├── migrate-domain.sh # Change domain across all services\n├── CLAUDE.md # AI assistant context (architecture + gotchas)\n├── CHANGELOG.md\n├── README.md\n├── lib/\n│ ├── common.sh # Logging, colors, utilities\n│ ├── state.sh # /etc/corex/state.json management\n│ ├── wizard.sh # Interactive setup wizard (whiptail + fallback)\n│ ├── preflight.sh # Pre-flight checks, password generation\n│ ├── drive.sh # SSD partitioning and mounting\n│ ├── security.sh # SSH hardening, UFW, Fail2ban, sysctl\n│ ├── docker.sh # Docker install, network creation\n│ ├── directories.sh # Directory structure and ownership\n│ ├── backup.sh # Restic setup, backup/restore scripts\n│ ├── summary.sh # Credentials file + dashboard docs\n│ └── services/ # One file per service — drop a file to add one\n│ ├── traefik.sh\n│ ├── adguard.sh\n│ ├── portainer.sh\n│ ├── nextcloud.sh\n│ ├── immich.sh\n│ ├── vaultwarden.sh\n│ ├── n8n.sh\n│ ├── stalwart.sh\n│ ├── timemachine.sh\n│ ├── coolify.sh\n│ ├── crowdsec.sh\n│ ├── cloudflared.sh\n│ ├── monitoring.sh # Uptime Kuma + Grafana + Prometheus bundle\n│ └── ai.sh # Ollama + Open WebUI + Browserless bundle\n└── test/\n ├── Dockerfile.test # Ubuntu 24.04 + bats + shellcheck + jq\n ├── run-tests.sh\n ├── unit/ # Pure bash unit tests (no Docker/root required)\n └── smoke/ # Validates generated docker-compose files\n```\n\n---\n\n## 🔀 Domain Migration\n\nNeed to change your domain? One command updates all services:\n\n```bash\nsudo bash corex.sh migrate # Interactive\nsudo bash corex.sh migrate olddomain.com newdomain.com # Direct\nsudo bash corex.sh migrate --dry-run old.com new.com # Preview only\n```\n\nBacks up all compose files, updates every reference, clears old TLS certs (Traefik auto-renews), restarts affected services, and prints a checklist of manual steps (Cloudflare Tunnel hostnames, AdGuard DNS rewrites, mobile app server URLs).\n\n---\n\n## 🙏 Credits\n\nCoreX Pro builds on these excellent open-source projects:\n\n[Traefik](https://traefik.io/) • [AdGuard Home](https://adguard.com/adguard-home.html) • [Portainer](https://www.portainer.io/) • [Nextcloud](https://nextcloud.com/) • [Immich](https://immich.app/) • [Vaultwarden](https://github.com/dani-garcia/vaultwarden) • [Stalwart Mail](https://stalw.art/) • [Coolify](https://coolify.io/) • [n8n](https://n8n.io/) • [Ollama](https://ollama.com/) • [Open WebUI](https://openwebui.com/) • [Browserless](https://www.browserless.io/) • [Uptime Kuma](https://uptime.kuma.pet/) • [Grafana](https://grafana.com/) • [Prometheus](https://prometheus.io/) • [CrowdSec](https://www.crowdsec.net/) • [Restic](https://restic.net/) • [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/)\n\nInspired by the self-hosting philosophy of [NetworkChuck](https://www.youtube.com/@NetworkChuck), [Techno Tim](https://www.youtube.com/@TechnoTim), and the [r/selfhosted](https://www.reddit.com/r/selfhosted/) community.\n\n---\n\n\u003cp align=\"center\"\u003e\n \u003cstrong\u003eOwn your data. Own your stack.\u003c/strong\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n \u003cstrong\u003eMade with ❤️ in 🇮🇳\u003c/strong\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitismowgli%2Fcorex-pro","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fitismowgli%2Fcorex-pro","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitismowgli%2Fcorex-pro/lists"}