# Run with docker stack deploy -c kopia.yaml kopia services: kopia: image: kopia/kopia:latest user: "1964:1964" environment: TZ: America/Chicago PUID: "1964" PGID: "1964" KOPIA_PASSWORD: F@lcon13 KOPIA_SERVER_USERNAME: admin KOPIA_SERVER_PASSWORD: F@lcon13 command: - server - start - --tls-cert-file=/app/cert/my.cert - --tls-key-file=/app/cert/my.key - --address=0.0.0.0:51515 - --server-username=admin - --server-password=F@lcon13 volumes: - /DockerVol/kopia/config:/app/config - /DockerVol/kopia/cache:/app/cache - /DockerVol/kopia/cert:/app/cert - /data/nfs/znas/Docker/kopia/logs:/app/logs - /srv/vault/kopia_repository:/repository - /srv/vault/backup:/vault ports: - 51515:51515 networks: - netgrimoire deploy: restart_policy: condition: any delay: 5s max_attempts: 3 window: 120s placement: constraints: - node.platform.arch != arm - node.platform.arch != aarch64 - node.hostname == znas labels: gremlin.version: "2026-04-1" gremlin.caddy.reverse_proxy.skip: "true" gremlin.context: "Kopia runs its own TLS on port 51515. caddy.reverse_proxy must use https:// with tls_insecure_skip_verify. monitor.url uses tcp check as HTTP will fail against a TLS endpoint." # --- Caddy --- caddy: kopia.netgrimoire.com caddy.reverse_proxy: https://kopia:51515 caddy.reverse_proxy.transport: http caddy.reverse_proxy.transport.tls_insecure_skip_verify: "true" caddy.import_1: crowdsec caddy.import_2: authentik # --- Monitor --- monitor.name: Kopia monitor.url: tcp://kopia:51515 monitor.type: tcp # --- Homepage --- homepage.group: Backup homepage.name: Kopia homepage.icon: kopia.png homepage.href: https://kopia.netgrimoire.com homepage.description: Snapshot backup and deduplication # --- DIUN --- diun.enable: "true" networks: netgrimoire: external: true ##