🔧 Renovate: Update (minor) hoverkraft-tech/compose-action action to v2.3.0

Reviewed-on: #32

.gitea/workflows/pr-docker-deploy.yml

@@ -5,6 +5,7 @@ on:
   push:
     branches-ignore:
       - 'main'
+      - 'renovate/**'
     paths:
       - '**/docker-compose.yml'
       - '**/pr-docker-deploy.yml'
@@ -149,6 +150,12 @@ jobs:
         run: |
           docker login -u gitea-sonarqube-bot -p ${RIKKU_REGISTRY_PASSWORD} git.trez.wtf
 
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
       - name: Cache Vault install
         id: cache-vault
         uses: actions/cache@v4
@@ -198,9 +205,59 @@ jobs:
           notification_title: 'GITEA: Docker Compose Dry Run @ Rikku'
           notification_message: 'Docker Compose dry run completed successfully.'
 
+  regenerate-readme-modified-services:
+    name: Update README & Generate List of Modified Services
+    runs-on: ubuntu-latest
+    needs: [docker-compose-dry-run]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install yq
+        uses: dcarbone/install-yq-action@v1
+
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RIKKU_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RIKKU_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: README Update'
+          notification_message: 'Updating README...'
+
+      - name: Generate service list
+        run: |
+          yq '.services | to_entries | map({"service": .key, "image": .value.image})' docker-compose.yml > services.yml
+
+      - name: Generate Markdown Table
+        uses: gazab/create-markdown-table@v1
+        id: service-table
+        with:
+          file: ./services.yml
+
+      - name: Regenerate README
+        run: |
+          echo "# List of Services" > README.md
+          echo -e "\n\n" >> README.md
+          echo "${{ steps.service-table.outputs.table }}" >> README.md
+
+      - name: Add/Commit README.md
+        id: commit-readme
+        uses: EndBug/add-and-commit@v9
+        with:
+          message: "chore: Update README"
+          add: "README.md"
+
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RIKKU_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RIKKU_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: README Update'
+          notification_message: 'README updated'
+
   pr-merge:
     name: PR Merge
-    needs: [generate-service-list, docker-compose-dry-run]
+    needs: [generate-service-list, docker-compose-dry-run, regenerate-readme-modified-services]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -299,6 +356,17 @@ jobs:
           registry_pass: ${{ secrets.GHCR_LOGIN_TOKEN }}
           summary: true
 
+      - name: Docker Compose Healthcheck
+        uses: jaracogmbh/docker-compose-health-check-action@v1.0.0
+        env:
+          DOCKER_HOST: tcp://192.168.1.252:2375
+        with:
+          max-retries: 30
+          retry-interval: 10
+          compose-file: "docker-compose.yml"
+          skip-exited: "true"
+          skip-no-healthcheck: "true"
+
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:

.gitea/workflows/renovate-pr-deploy.yml

@@ -0,0 +1,128 @@
+name: Renovate PR Deployment
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+
+jobs:
+  deploy:
+    if: |
+      github.event.pull_request.merged == true &&
+      github.event.pull_request.user.login == 'renovate-bot'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Detect Renovate update type
+        id: detect-update
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
+        run: |
+          echo "PR body: $PR_BODY"
+
+          if echo "$PR_BODY" | grep -qE 'Update\s+(patch|minor|major|digest)'; then
+            echo "update=true" >> $GITHUB_OUTPUT
+          else
+            echo "update=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Stop if update not patch/minor/major/digest
+        if: steps.detect-update.outputs.update != 'true'
+        run: |
+          echo "::warning::This PR does not involve patch/minor/major/digest update. Skipping deployment."
+          exit 0
+
+      - name: Get changed services from docker-compose.yml
+        id: services
+        run: |
+          # Ensure we have main branch available
+          git fetch origin main
+
+          # Find the common ancestor (merge-base) between PR HEAD and main
+          base=$(git merge-base HEAD origin/main)
+
+          # Get all image names added/changed in docker-compose.yml since base
+          images=$(git diff $base HEAD -- docker-compose.yml \
+            | grep -E '^\+.*image:' \
+            | sed -E 's/.*image:[[:space:]]*//g' \
+            | awk -F: '{print $1}' \
+            | sort -u)
+
+          # Map images to service names using yq
+          services=""
+          for img in $images; do
+            svc=$(yq e ".services | with_entries(select(.value.image | startswith(\"$img\"))) | keys | .[]" docker-compose.yml)
+            services="$services $svc"
+          done
+
+          # Deduplicate and trim
+          services=$(echo $services | tr ' ' '\n' | sort -u | xargs)
+          echo "services=$services" >> $GITHUB_OUTPUT
+
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RIKKU_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RIKKU_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: [RENOVATE] Docker Compose Deployment @ Rinoa'
+          notification_message: 'Starting Docker Compose run...'
+
+      - name: Pull images for modified services
+        if: steps.services.outputs.services != ''
+        run: |
+          services="${{ steps.services.outputs.services }}"
+          echo "Pulling images for services: $services"
+          for svc in $services; do
+            docker compose pull $svc || echo "Failed to pull $svc, continuing..."
+          done
+
+      - name: Docker Compose Deployment
+        uses: hoverkraft-tech/compose-action@v2.3.0
+        env:
+          DOCKER_HOST: tcp://dockerproxy:2375
+        with:
+          services: |
+            ${{ steps.services.outputs.services }}
+          up-flags: -d --remove-orphans
+          compose-flags: --profile rinoa-apps
+
+      - name: Docker Compose Healthcheck
+        continue-on-error: true
+        id: health
+        uses: jaracogmbh/docker-compose-health-check-action@v1.0.0
+        with:
+          max-retries: 30
+          retry-interval: 10
+          compose-file: "docker-compose.yml"
+          skip-exited: "true"
+          skip-no-healthcheck: "true"
+
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RIKKU_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RIKKU_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: [RENOVATE] Docker Compose Deployment @ Rinoa'
+          notification_message: 'Deployment completed successfully.'
+
+      - name: Deployment Summary
+        if: always()
+        run: |
+          echo "### 🚀 Renovate Patch Deployment Summary" >> $GITHUB_STEP_SUMMARY
+
+          if [[ -z "${{ steps.services.outputs.services }}" ]]; then
+            echo "- No services changed in this patch update." >> $GITHUB_STEP_SUMMARY
+            exit 0
+          fi
+
+          echo "- Updated services: \`${{ steps.services.outputs.services }}\`" >> $GITHUB_STEP_SUMMARY
+
+          if [[ "${{ steps.health.outcome }}" == "success" ]]; then
+            echo "- ✅ All services passed health checks." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "- ⚠️ Some services failed health checks. Check logs above for details." >> $GITHUB_STEP_SUMMARY
+          fi

README.md

@@ -0,0 +1,19 @@
+# List of Services
+
+
+
+| Service | Image |
+| --- | --- |
+| adguard | adguard/adguardhome:v0.107.65 |
+| beszel-agent | henrygd/beszel-agent:0.12.7 |
+| castsponsorskip | ghcr.io/gabe565/castsponsorskip:0.8.2 |
+| docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
+| dockflare | alplat/dockflare:stable |
+| ha-fusion | ghcr.io/matt8707/ha-fusion:2024.10.1 |
+| homeassistant | ghcr.io/home-assistant/home-assistant:stable |
+| ollama | ollama/ollama:0.11.10 |
+| signoz-logspout | pavanputhra/logspout-signoz:2025.07.19-887dfeb |
+| upsnap | ghcr.io/seriousm4x/upsnap:5 |
+| watchtower | ghcr.io/containrrr/watchtower:latest |
+| webhook | thecatlady/webhook:2.8.1 |
+

docker-compose.yml

@@ -10,7 +10,7 @@ services:
     container_name: adguard
     environment:
       TZ: ${TZ}
-    image: adguard/adguardhome:latest
+    image: adguard/adguardhome:v0.107.66
     network_mode: host
     privileged: true
     # ports:
@@ -37,7 +37,7 @@ services:
       HUB_URL: http://192.168.1.254:22220
     expose:
       - 45876
-    image: henrygd/beszel-agent:latest
+    image: henrygd/beszel-agent:0.12.9
     network_mode: host
     restart: unless-stopped
     volumes:
@@ -46,7 +46,7 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock:ro
   castsponsorskip:
     container_name: castsponsorskip
-    image: ghcr.io/gabe565/castsponsorskip
+    image: ghcr.io/gabe565/castsponsorskip:0.8.2
     environment:
       # Set the container timezone
       # See identifier list at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
@@ -89,6 +89,57 @@ services:
     restart: unless-stopped
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
+  dockflare:
+    container_name: dockflare
+    environment:
+      AGENT_STATUS_UPDATE_INTERVAL_SECONDS: 10
+      CF_ACCOUNT_ID: ${CLOUDFLARE_ACCOUNT_ID}
+      CF_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
+      CF_ZONE_ID: ${CLOUDFLARE_ZONE_ID}
+      CLEANUP_INTERVAL_SECONDS: 300
+      CLOUDFLARED_METRICS_PORT: 20119
+      CLOUDFLARED_NETWORK_NAME: rikku_default
+      DEFAULT_NO_TLS_VERIFY: false
+      GRACE_PERIOD_SECONDS: 600
+      LABEL_PREFIX: cloudflare.tunnel
+      MAX_CONCURRENT_DNS_OPS: 3
+      RECONCILIATION_BATCH_SIZE: 3
+      SCAN_ALL_NETWORKS: false
+      STATE_FILE_PATH: /app/data/state.json
+      TRUSTED_PROXIES: 192.168.1.0/24,172.18.0.0/16
+      TUNNEL_DNS_SCAN_ZONE_NAMES:
+      TUNNEL_NAME: dockflared-tunnel
+      TZ: ${TZ}
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- --server-response http://localhost:5000/ping 2>&1 | awk '/^  HTTP/{code=$2} /^[^{]/{next} {print; fflush()} END{exit (code>=400 || code==0)}' >/dev/null"]
+      interval: 1m30s
+      timeout: 30s
+      retries: 5
+      start_period: 30s
+    image: alplat/dockflare:stable # Or :unstable for the latest features
+    # labels:
+    #   ## EXAMPLE CF TUNNEL LABELS ###
+    #   Enable DockFlare management for this container
+    #   - "cloudflare.tunnel.enable=true"
+    #   The public hostname to expose
+    #   - "cloudflare.tunnel.hostname=my-service.example.com"
+    #   The internal service address (protocol://container_name_or_ip:port)
+    #   Service type (http, https, tcp, ssh, rdp, http_status) is inferred from the prefix.
+    #   - "cloudflare.tunnel.service=http://my-service:80"
+    #   Optional: Specify a URL path. Only requests to hostname/path will match.
+    #   - "cloudflare.tunnel.path=/app"
+    #   Optional: Specify a different Cloudflare Zone for this hostname
+    #   - "cloudflare.tunnel.zonename=another.example.com"
+    #   Optional: Disable TLS verification if your internal service uses HTTP or a self-signed cert
+    #   - "cloudflare.tunnel.no_tls_verify=true"
+    #   Optional: Specify Origin Server Name (SNI) for TLS connection to origin
+    #   - "cloudflare.tunnel.originsrvname=internal.service.local"
+    ports:
+      - 5001:5000
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - dockflare_data:/app/data
   ha-fusion:
     container_name: ha-fusion
     depends_on:
@@ -98,7 +149,7 @@ services:
     environment:
       TZ: ${TZ}
       HASS_URL: http://192.168.1.252:8123
-    image: ghcr.io/matt8707/ha-fusion
+    image: ghcr.io/matt8707/ha-fusion:2024.10.1
     labels:
       com.centurylinklabs.watchtower.monitor-only: true
     ports:
@@ -125,7 +176,7 @@ services:
       - /run/dbus:/run/dbus:ro
   ollama:
     container_name: ollama
-    image: ollama/ollama:latest
+    image: ollama/ollama:0.12.0
     ports:
       - 11434:11434
     restart: unless-stopped
@@ -137,10 +188,35 @@ services:
     environment:
       ENV: prod
       SIGNOZ_LOG_ENDPOINT: http://192.168.1.254:8082
-    image: pavanputhra/logspout-signoz
+    image: pavanputhra/logspout-signoz:2025.07.19-887dfeb
     restart: unless-stopped
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
+  upsnap:
+    container_name: upsnap
+    dns:
+      - 192.168.1.254
+    entrypoint: /bin/sh -c "./upsnap serve --http 0.0.0.0:5000"
+    environment:
+      TZ: ${TZ} # Set container timezone for cron schedules
+      UPSNAP_INTERVAL: '*/10 * * * * *' # Sets the interval in which the devices are pinged
+      UPSNAP_SCAN_RANGE: 192.168.1.0/24 # Scan range is used for device discovery on local network
+      UPSNAP_SCAN_TIMEOUT: 500ms # Scan timeout is nmap's --host-timeout value to wait for devices (https://nmap.org/book/man-performance.html)
+      UPSNAP_PING_PRIVILEGED: true # Set to false if you don't have root user permissions
+      UPSNAP_WEBSITE_TITLE: 'UpSnap @ Rikku' # Custom website title
+    # # To use a non-root user, create the mountpoint first (mkdir data) so that it has the right permission.
+    # # dns is used for name resolution during network scan
+    # # or install custom packages for shutdown
+    # entrypoint: /bin/sh -c "apk update && apk add --no-cache <YOUR_PACKAGE> && rm -rf /var/cache/apk/* && ./upsnap serve --http 0.0.0.0:8090"
+    healthcheck:
+      test: curl -fs "http://localhost:5000/api/health" || exit 1
+      interval: 10s
+    image: ghcr.io/seriousm4x/upsnap:5 # images are also available on docker hub: seriousm4x/upsnap:5
+    network_mode: host
+    privileged: true
+    restart: unless-stopped
+    volumes:
+      - ${RIKKU_DOCKER_DIR}/upsnap:/app/pb_data
   watchtower:
     container_name: watchtower
     environment:
@@ -171,7 +247,7 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock:ro
   webhook:
     command: '-verbose -hooks=/etc/webhook/hooks.json -hotreload'
-    image: thecatlady/webhook:latest
+    image: thecatlady/webhook:2.8.1
     container_name: webhook
     ports:
       - 9000:9000
@@ -180,5 +256,7 @@ services:
       - ${RIKKU_DOCKER_DIR}/webhook/conf:/etc/webhook
       - ${RIKKU_DOCKER_DIR}/webhook/scripts:/opt/webhook_scripts
 volumes:
+  dockflare_data:
+    name: dockflare_data
   ollama:
     name: ollama

renovate.json

@@ -0,0 +1,71 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended"],
+  "prHourlyLimit": 2,
+  "prConcurrentLimit": 5,
+  "dependencyDashboard": true,
+  "dependencyDashboardApproval": true,
+  "dependencyDashboardHeader": "### 🔧 Renovate Dashboard\n\n- ✅ Patch updates will be created and auto-merged automatically.\n- 📝 Minor and Major updates will appear here first. Approve them to generate PRs.\n- 🏷️ Labels `update:patch`, `update:minor`, and `update:major` mark update types.\n",
+  "labels": ["dependencies", "renovate"],
+  "schedule": ["before 6am on monday"],
+  "semanticCommits": "enabled",
+  "commitMessagePrefix": "🔧 Renovate:",
+  "branchNameStrict": true,
+  "branchPrefix": "renovate/",
+  "branchTopic": "{{manager}}/{{depName}}",
+  "commitMessageAction": "Update ({{updateType}})",
+  "commitMessageTopic": "{{manager}}/{{depName}} to {{newVersion}}",
+  "prBodyNotes": [
+    "### ⚡ Renovate Update Info",
+    "- **Update Type:** {{updateType}}",
+    "- **Automerge:** {{#if isAutomerge}}✅ This update will be auto-merged once all checks pass{{else}}🛑 This update requires manual approval{{/if}}"
+  ],
+  "packageRules": [
+    {
+      "matchPackageNames": [
+        "adguard/adguardhome",
+        "henrygd/beszel-agent",
+        "ghcr.io/gabe565/castsponsorskip",
+        "ollama/ollama",
+        "thecatlady/webhook"
+      ],
+      "versioning": "semver"
+    },
+    {
+      "matchPackageNames": [
+        "ghcr.io/tecnativa/docker-socket-proxy",
+        "ghcr.io/matt8707/ha-fusion",
+        "ghcr.io/home-assistant/home-assistant",
+        "pavanputhra/logspout-signoz"
+      ],
+      "versioning": "docker"
+    },
+    {
+      "matchUpdateTypes": ["patch"],
+      "schedule": ["every weekday"],
+      "automerge": true,
+      "labels": ["dependencies", "renovate", "update:patch"]
+    },
+    {
+      "matchUpdateTypes": ["minor"],
+      "automerge": false,
+      "dependencyDashboardApproval": true,
+      "labels": ["dependencies", "renovate", "update:minor"]
+    },
+    {
+      "matchUpdateTypes": ["major"],
+      "automerge": false,
+      "dependencyDashboardApproval": true,
+      "labels": ["dependencies", "renovate", "update:major"]
+    },
+    {
+      "matchManagers": ["github-actions"],
+      "matchPackageNames": [
+        "actions/checkout",
+        "supplypike/setup-bin"
+      ],
+      "allowedVersions": "^4.0.0",
+      "groupName": "github-actions (pinned to v4)"
+    }
+  ]
+}