name: rikku
networks:
  default:
    name: rikku_default
services:
  adguard:
    cap_add:
      - NET_BIND_SERVICE
      - NET_RAW
    container_name: adguard
    environment:
      TZ: ${TZ}
    image: adguard/adguardhome:v0.107.77@sha256:e6f2b8bcda06064ab055b44933a4f0e983c35558b9cdb8d2e7ab1efcee36d890
    network_mode: host
    privileged: true
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ${RIKKU_DOCKER_DIR}/adguard/work:/opt/adguardhome/work
      - ${RIKKU_DOCKER_DIR}/adguard/conf:/opt/adguardhome/conf
      - /mnt/swag-certs:/opt/adguardhome/certs
  beszel-agent:
    container_name: beszel-agent
    environment:
      PORT: 45876
      # Do not remove quotes around the key
      KEY: "${BESZEL_RINOA_AGENT_KEY}"
      TOKEN: ${BESZEL_RIKKU_TOKEN}
      HUB_URL: http://192.168.1.254:22220
    expose:
      - 45876
    image: henrygd/beszel-agent:0.18.7@sha256:8874e2c53f9de5e063a6a80d6b617e20fa593ac5dc4eb4c6ce1f912f510f38f8
    network_mode: host
    restart: unless-stopped
    volumes:
      - ${RIKKU_DOCKER_DIR}/beszel-agent:/var/lib/beszel-agent
      - /dev/mmcblk0:/extra-filesystems/dev/mmcblk0:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
  castsponsorskip:
    container_name: castsponsorskip
    image: ghcr.io/gabe565/castsponsorskip:0.8.3@sha256:f556d274aab94c3140058e9f192396bc75e04d8e075769223c1edfc8c4f4daa4
    environment:
      TZ: ${TZ}
      # CSS_PAUSED_INTERVAL:
      # CSS_PLAYING_INTERVAL:
      # CSS_CATEGORIES:
      # CSS_YOUTUBE_API_KEY:
      # CSS_MUTE_ADS:
    network_mode: host
    restart: unless-stopped
  docker-socket-proxy:
    container_name: dockerproxy
    environment:
      AUTH: 1
      BUILD: 1
      COMMIT: 1
      CONFIGS: 1
      CONTAINERS: 1
      DISTRIBUTION: 1
      EVENTS: 1
      EXEC: 1
      GPRC: 1
      IMAGES: 1
      INFO: 1
      NETWORKS: 1
      NODES: 1
      POST: 1
      PLUGINS: 1
      SERVICES: 1
      SESSION: 1
      SYSTEM: 1
      TASKS: 1
      VOLUMES: 1
      LOG_LEVEL: debug
    image: ghcr.io/tecnativa/docker-socket-proxy:latest@sha256:1f3a6f303320723d199d2316a3e82b2e2685d86c275d5e3deeaf182573b47476
    ports:
      - 2375:2375
    privileged: true
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
  dockflare:
    container_name: dockflare
    environment:
      AGENT_STATUS_UPDATE_INTERVAL_SECONDS: 10
      CF_ACCOUNT_ID: ${CLOUDFLARE_ACCOUNT_ID}
      CF_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
      CF_ZONE_ID: ${CLOUDFLARE_ZONE_ID}
      CLEANUP_INTERVAL_SECONDS: 300
      CLOUDFLARED_METRICS_PORT: 20119
      CLOUDFLARED_NETWORK_NAME: rikku_default
      DEFAULT_NO_TLS_VERIFY: false
      GRACE_PERIOD_SECONDS: 600
      LABEL_PREFIX: cloudflare.tunnel
      MAX_CONCURRENT_DNS_OPS: 3
      RECONCILIATION_BATCH_SIZE: 3
      SCAN_ALL_NETWORKS: false
      STATE_FILE_PATH: /app/data/state.json
      TRUSTED_PROXIES: 192.168.1.0/24,172.18.0.0/16
      TUNNEL_DNS_SCAN_ZONE_NAMES:
      TUNNEL_NAME: dockflared-tunnel
      TZ: ${TZ}
    healthcheck:
      test: [
          "CMD-SHELL",
          "wget -qO- --server-response http://localhost:5000/ping 2>&1 | awk
          '/^  HTTP/{code=$2} /^[^{]/{next} {print; fflush()} END{exit
          (code>=400 || code==0)}' >/dev/null",
        ]
      interval: 1m30s
      timeout: 30s
      retries: 5
      start_period: 30s
    image: alplat/dockflare:stable@sha256:ff2807c696b0752767716825e7b3d9f7d4f353e7ea8a323dc2b7cc174ad27ef7 # Or :unstable for the latest features
    # labels:
    #   ## EXAMPLE CF TUNNEL LABELS ###
    #   Enable DockFlare management for this container
    #   - "cloudflare.tunnel.enable=true"
    #   The public hostname to expose
    #   - "cloudflare.tunnel.hostname=my-service.example.com"
    #   The internal service address (protocol://container_name_or_ip:port)
    #   Service type (http, https, tcp, ssh, rdp, http_status) is inferred from the prefix.
    #   - "cloudflare.tunnel.service=http://my-service:80"
    #   Optional: Specify a URL path. Only requests to hostname/path will match.
    #   - "cloudflare.tunnel.path=/app"
    #   Optional: Specify a different Cloudflare Zone for this hostname
    #   - "cloudflare.tunnel.zonename=another.example.com"
    #   Optional: Disable TLS verification if your internal service uses HTTP or a self-signed cert
    #   - "cloudflare.tunnel.no_tls_verify=true"
    #   Optional: Specify Origin Server Name (SNI) for TLS connection to origin
    #   - "cloudflare.tunnel.originsrvname=internal.service.local"
    ports:
      - 5001:5000
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - dockflare_data:/app/data
  ha-fusion:
    container_name: ha-fusion
    depends_on:
      homeassistant:
        condition: service_started
        required: true
    environment:
      TZ: ${TZ}
      HASS_URL: http://192.168.1.252:8123
    image: ghcr.io/matt8707/ha-fusion:2024.10.1@sha256:5eea4634ab2b1e7c7523943996d13318d109b293abe8e9e86c38daf5c41830cb
    ports:
      - 5050:5050
    restart: unless-stopped
    volumes:
      - ${RIKKU_DOCKER_DIR}/ha-fusion:/app/data
  homeassistant:
    cap_add:
      - NET_ADMIN
      - NET_RAW
    container_name: homeassistant
    devices:
      - /dev/ttyAMA0:/dev/ttyAMA0
      - /dev/ttyS0:/dev/ttyS0
    environment:
      DISABLE_JEMALLOC: true
    image: ghcr.io/home-assistant/home-assistant:stable@sha256:f0baa7922ecec7790c40c41baf08ab218b6ab8db5f96dc03b03a0ae33d987c3d
    labels:
      com.centurylinklabs.watchtower.monitor-only: true
    network_mode: host
    privileged: true
    restart: unless-stopped
    volumes:
      - ${RIKKU_DOCKER_DIR}/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
      - /run/dbus:/run/dbus:ro
  patchmon-server:
    container_name: patchmon-server
    depends_on:
      patchmon-pg-db:
        condition: service_healthy
      patchmon-redis:
        condition: service_healthy
      patchmon-guacd:
        condition: service_healthy
    environment:
      CORS_ORIGIN: "*"
      JWT_SECRET: ${PATCHMON_JWT_SECRET}
      POSTGRES_HOST: patchmon-pg-db
      DATABASE_URL: postgresql://patchmon:${PATCHMON_PG_PASSWORD}@patchmon-pg-db:5432/patchmon
      ENABLE_LOGGING: true
      GUACD_ADDRESS: patchmon-guacd:4822
      LOG_LEVEL: info
      REDIS_HOST: patchmon-redis
      SESSION_SECRET: ${PATCHMON_SESSION_SECRET}
      AI_ENCRYPTION_KEY: ${PATCHMON_AI_ENCRYPTION_KEY}
      REDIS_PORT: 6379
      REDIS_PASSWORD: ${PATCHMON_REDIS_PASSWORD}
      REDIS_DB: 0
      TRUST_PROXY: true
      TZ: ${TZ}
    image: ghcr.io/patchmon/patchmon-server:latest@sha256:eaa1bcce290c7003cff01a96cfc893a64cb144e582e9b797875e6381f56b297a
    ports:
      - 3000:3000
    restart: unless-stopped
  patchmon-pg-db:
    container_name: patchmon-pg-db
    image: postgres:17-alpine@sha256:979c4379dd698aba0b890599a6104e082035f98ef31d9b9291ec22f2b13059ca
    restart: unless-stopped
    environment:
      POSTGRES_PASSWORD: ${PATCHMON_PG_PASSWORD}
      POSTGRES_USER: patchmon
      POSTGRES_DB: patchmon
    expose:
      - 5432
    volumes:
      - patchmon-pg-data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U patchmon -d patchmon"]
      interval: 3s
      timeout: 5s
      retries: 7
  patchmon-redis:
    container_name: patchmon-redis
    image: redis:7-alpine@sha256:6ab0b6e7381779332f97b8ca76193e45b0756f38d4c0dcda72dbb3c32061ab99
    restart: unless-stopped
    environment:
      TZ: ${TZ}
      REDIS_PORT: 6379
      REDIS_PASSWORD: ${PATCHMON_REDIS_PASSWORD}
      REDIS_DB: 0
    expose:
      - 6379
    command: redis-server --requirepass ${PATCHMON_REDIS_PASSWORD}
    volumes:
      - patchmon-redis-data:/data
    healthcheck:
      test:
        [
          "CMD",
          "redis-cli",
          "--no-auth-warning",
          "-a",
          "${PATCHMON_REDIS_PASSWORD}",
          "ping",
        ]
      interval: 3s
      timeout: 5s
      retries: 7
  patchmon-guacd:
    container_name: patchmon-guacd
    image: guacamole/guacd:1.6.0@sha256:8974eaa9ba32f713daf311e7cc8cd7e4cdfba1edea39eed75524e78ef4b08f4f
    expose:
      - 4822
    restart: unless-stopped
    read_only: true
    tmpfs:
      - /tmp:size=64m
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    mem_limit: 512m
    cpus: "1.0"
    healthcheck:
      test: ["CMD-SHELL", "nc -z localhost 4822 || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 10s
  portainer-agent:
    container_name: portainer_agent
    image: portainer/agent:latest@sha256:236246fc09b3e7e9269aad53e57ec71f27b7e114a2b6b70d4fd98c117ccc36d8
    volumes:
      - /:/host
      - /var/lib/docker/volumes:/var/lib/docker/volumes
      - /var/run/docker.sock:/var/run/docker.sock
    restart: always
    ports:
      - 9001:9001
  renovate:
    container_name: renovate
    environment:
      RENOVATE_CONFIG_FILE: /etc/renovate/config.js
      # --- Authentication & platform ---
      RENOVATE_TOKEN: "${RENOVATE_GITEA_TOKEN}" # Gitea personal access token for renovate-bot
      RENOVATE_PLATFORM: "gitea"
      RENOVATE_ENDPOINT: "https://git.${MY_TLD}/api/v1" # your Gitea URL
      RENOVATE_USERNAME: "renovate-bot"
      RENOVATE_GIT_AUTHOR: "Renovate Bot <it-services@trez.wtf>"
      RENOVATE_GITHUB_COM_TOKEN: ${LIBRECHAT_GITHUB_TOKEN}

      # --- Behavior ---
      RENOVATE_AUTODISCOVER: "true" # discover all repos renovate-bot has access to
      RENOVATE_ONBOARDING: "true" # create onboarding PR if repo not configured
      RENOVATE_REQUIRE_CONFIG: "optional" # run even if no renovate config exists
      RENOVATE_REDIS_URL: redis://renovate-valkey:6379
      LOG_LEVEL: "info"

      # --- Enable dependency dashboard ---
      RENOVATE_EXTENDS: "config:base,:dependencyDashboard"

      # --- Example package rules ---
      RENOVATE_PRUNE_BRANCH_AFTER_AUTOMERG: false
      RENOVATE_PRUNE_STALE_BRANCHES: true

      # --- Scheduling ---
      # Renovate will only process PRs/updates in this time window
      RENOVATE_SCHEDULE: '["after 2am and before 6am"]'
      OTEL_EXPORTER_OTLP_ENDPOINT: http://192.168.1.254:4318
      OTEL_SERVICE_NAME: renovate
      OTEL_SERVICE_NAMESPACE: renovate.${MY_TLD}

      # --- Registry creds ---
      DOCKER_HUB_PASS: ${RENOVATE__DOCKER_HUB_PASS}
      DOCKER_HUB_USER: ${RENOVATE__DOCKER_HUB_USER}
      GHCR_TOKEN: ${RENOVATE__GHCR_TOKEN}
      GHCR_USER: ${RENOVATE__GHCR_USER}
      GITEA_BOT_PASS: ${RENOVATE__GITEA_BOT_PASS}
      GITEA_BOT_USER: ${RENOVATE__GITEA_BOT_USER}
    image: renovate/renovate:43.170.22-full@sha256:934f64671c3f6535f5cce940b921a06aaaf47a347ce7de82b01b4028b223dcda
    restart: unless-stopped
    volumes:
      - ${RIKKU_DOCKER_DIR}/renovate/config.js:/etc/renovate/config.js
  renovate-valkey:
    container_name: renovate-valkey
    healthcheck:
      test: redis-cli ping || exit 1
    image: docker.io/valkey/valkey:9-alpine@sha256:a35428eba9043cc0b79dbe54100f0c92784f2de00ad09b01182bfb1c5c83d1bd
    environment:
      ALLOW_EMPTY_PASSWORD: yes
      VALKEY_DATA_DIR: /data/valkey
      VALKEY_DATABASE: 0
    expose:
      - 6379
    restart: unless-stopped
    volumes:
      - renovate-valkey-data:/data/valkey
  signoz-logspout:
    command: signoz://192.168.1.254:8082
    container_name: signoz-logspout
    environment:
      ENV: prod
      SIGNOZ_LOG_ENDPOINT: http://192.168.1.254:8082
    image: pavanputhra/logspout-signoz:2025.07.19-887dfeb@sha256:6da8ce12279a5262de8b2d5c083ce82d4c878c4eab702b4d328afe147ed7553b
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
  snapcast-server:
    image: docker.io/sweisgerber/snapcast:latest@sha256:8859aaf7949781d47787fa048a3c85c7b3ea97aad4270d6f4ae2ff8b341db22c
    hostname: snapcast-server
    container_name: snapcast-server
    environment:
      TZ: ${TZ}
    restart: "unless-stopped"
    ports:
      - 1704:1704
      - 1705:1705
      - 1780:1780
      - 4953:4953
      # devices:
      # - /dev/snd:/dev/snd # optional, only if you want to use snapclient
    volumes:
      - ${RIKKU_DOCKER_DIR}/snapcast/config/:/config/
      - ${RIKKU_DOCKER_DIR}/snapcast/data/:/data/
  upsnap:
    container_name: upsnap
    dns:
      - 192.168.1.254
    entrypoint: /bin/sh -c "./upsnap serve --http 0.0.0.0:5000"
    environment:
      TZ: ${TZ} # Set container timezone for cron schedules
      UPSNAP_INTERVAL: "*/10 * * * * *" # Sets the interval in which the devices are pinged
      UPSNAP_SCAN_RANGE: 192.168.1.0/24 # Scan range is used for device discovery on local network
      UPSNAP_SCAN_TIMEOUT: 500ms # Scan timeout is nmap's --host-timeout value to wait for devices (https://nmap.org/book/man-performance.html)
      UPSNAP_PING_PRIVILEGED: true # Set to false if you don't have root user permissions
      UPSNAP_WEBSITE_TITLE: "UpSnap @ Rikku" # Custom website title
    # # To use a non-root user, create the mountpoint first (mkdir data) so that it has the right permission.
    # # dns is used for name resolution during network scan
    # # or install custom packages for shutdown
    # entrypoint: /bin/sh -c "apk update && apk add --no-cache <YOUR_PACKAGE> && rm -rf /var/cache/apk/* && ./upsnap serve --http 0.0.0.0:8090"
    healthcheck:
      test: curl -fs "http://localhost:5000/api/health" || exit 1
      interval: 10s
    image: ghcr.io/seriousm4x/upsnap:5@sha256:a73c9db5a987289da68dc602e68fc0307c9ee57c563f53004d09ae3e3cf45a0a # images are also available on docker hub: seriousm4x/upsnap:5
    network_mode: host
    privileged: true
    restart: unless-stopped
    volumes:
      - ${RIKKU_DOCKER_DIR}/upsnap:/app/pb_data
  webhook:
    command: "-verbose -hooks=/etc/webhook/hooks.json -hotreload"
    image: thecatlady/webhook:2.8.2@sha256:0507d6c27d87837bcdee5078d63f54e50d9073ae879618233858e3da68d4b0cc
    container_name: webhook
    ports:
      - 9000:9000
    restart: unless-stopped
    volumes:
      - ${RIKKU_DOCKER_DIR}/webhook/conf:/etc/webhook
      - ${RIKKU_DOCKER_DIR}/webhook/scripts:/opt/webhook_scripts
volumes:
  dockflare_data:
    name: dockflare_data
  patchmon-pg-data:
    name: patchmon-pg-data
  patchmon-redis-data:
    name: patchmon-redis-data
  renovate-valkey-data:
    name: renovate-valkey-data