Trez/rinoa-docker
4
0
Fork 0
Code Issues 1 Pull Requests 9 Actions Activity

Auto Merge of PR 50 - deploy-pipeline-compose-modified-services
Auto-Unseal for Vault / Unseal Vault (push) Failing after 10m59s
Details

Browse Source 
Merged by Trez.One
This commit was merged in pull request #50.
This commit is contained in:
gitea-sonarqube-bot
2025-05-18 08:13:14 -04:00
parent 7e332e413e 5a71cb877d
commit cdcf86a1a1
4 changed files with 112 additions and 134 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/pr-cloudflare-docker-deploy.yml
+90 -43
View File
@@ -3,6 +3,9 @@ on:
push:
branches-ignore:
- 'main'
paths:
- '**.yml'
- '!ansible/**.yml'
jobs:
check-and-create-pr:
if: github.ref != 'refs/heads/main'
@@ -64,62 +67,107 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Cache Ansible Galaxy Collections
uses: actions/cache@v3
with:
path: ansible/collections
key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
restore-keys: |
${{ runner.os }}-ansible-
- name: Install Ansible
uses: alex-oleshkevich/setup-ansible@v1.0.1
with:
version: "11.0.0"
- name: Fetch base branch
run: |
git fetch origin ${{ github.event.pull_request.base.ref }}
- name: Save both versions of docker-compose.yml
run: |
git show origin/main:docker-compose.yml > docker-compose-main.yml || touch docker-compose-main.yml
cp docker-compose.yml docker-compose-head.yml
# - name: Compare Docker Compose changes
# run: |
# git show origin/main:docker-compose.yml > docker-compose-main.yml || touch docker-compose-main.yml
# cp docker-compose.yml docker-compose-head.yml
- name: Detect added, deleted, and modified services
id: detect_services
run: |
echo "Getting services from main and ${{ github.ref_name }}"
yq '.services | keys | .[]' docker-compose-main.yml | sort > services_main.txt
yq '.services | keys | .[]' docker-compose-head.yml | sort > services_head.txt
echo "Creating list of modified services..."
touch service_changes.txt
comm -13 services_main.txt services_head.txt | while read service; do
echo "$service: added" >> service_changes.txt
done
comm -12 services_main.txt services_head.txt | while read service; do
yq ".services[\"$service\"]" docker-compose-main.yml > tmp_main.yml
yq ".services[\"$service\"]" docker-compose-head.yml > tmp_head.yml
if ! diff -q tmp_main.yml tmp_head.yml > /dev/null; then
echo "$service: modified" >> service_changes.txt
fi
done
echo "Detected service changes:"
cat service_changes.txt
svc_list=$(paste -sd '|' service_changes.txt)
echo "classified_services=$svc_list" >> "$GITHUB_OUTPUT"
# - name: Cache Ansible Galaxy Collections
# uses: actions/cache@v3
# with:
# path: ansible/collections
# key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
# restore-keys: |
# ${{ runner.os }}-ansible-
# - name: Install Ansible
# uses: alex-oleshkevich/setup-ansible@v1.0.1
# with:
# version: "11.0.0"
- name: Install Vault
uses: cpanato/vault-installer@main
- name: Install hvac
run: pip install hvac
# - name: Install hvac
# run: pip install hvac
# - name: Gotify Notification
# uses: eikendev/gotify-action@master
# with:
# gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
# gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
# notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
# notification_message: 'Starting Ansible dry run...'
# - name: Ansible Playbook Dry Run
# uses: arillso/action.playbook@0.1.0
# with:
# check: true
# galaxy_collections_path: ansible/collections
# galaxy_requirements_file: ansible/collections/requirements.yml
# inventory: ansible/inventory/hosts.yml
# playbook: ansible/docker_config_deploy.yml
# private_key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
# vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
# verbose: 0
- name: Gotify Notification
uses: eikendev/gotify-action@master
with:
gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
notification_message: 'Starting Ansible dry run...'
- name: Ansible Playbook Dry Run
uses: dawidd6/action-ansible-playbook@v2
with:
directory: ansible/
playbook: docker_config_deploy.yml
key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
options: |
--inventory inventory/hosts.yml
--check
requirements: collections/requirements.yml
vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
- name: Gotify Notification
uses: eikendev/gotify-action@master
with:
gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
notification_message: 'Ansible dry run completed successfully; starting Docker Compose'
- name: Generate .env file for Docker Compose Dry Run
run: |
vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
notification_message: 'Starting Docker Compose dry run...'
- name: Cache .env Files
uses: actions/cache@v4
with:
path: .env
key: ${{ runner.os }}-env-${{ hashFiles('docker-compose.yml') }}
- name: Generate modified services list & .env file for Docker Compose Dry Run
id: modded_svcs
run: |
mod_svcs=$(echo "${{ steps.detect_services.outputs.classified_services }}" | sed -e 's/|//g' -e 's/: \(add\|modifi\|delet\)ed/ /g')
echo ${mod_svcs}
vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
echo "rinoa_svcs=${mod_svcs}" >> "$GITHUB_OUTPUT"
- name: Docker Compose Dry Run
uses: yu-ichiro/spin-up-docker-compose-action@v1
timeout-minutes: 360
continue-on-error: true
uses: keatonLiu/docker-compose-remote-action@v1.2
with:
file: docker-compose.yml
pull: true
pull-opts: --dry-run
up: true
up-opts: --dry-run -d --remove-orphans
docker_compose_file: docker-compose.yml
docker_args: -d --remove-orphans --pull missing --no-recreate ${{ steps.modded_svcs.rinoa_svcs.output }}
ssh_user: gitea-deploy
ssh_host: 192.168.1.254
ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
ssh_private_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
env:
DOCKER_HOST: tcp://dockerproxy:2375
- name: Gotify Notification
@@ -354,7 +402,6 @@ jobs:
run: |
vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
- name: Docker Compose Deployment
# if: ${{ steps.regenerate-readme-modified-services.outputs.modified_services != '' }}
timeout-minutes: 360
continue-on-error: true
uses: keatonLiu/docker-compose-remote-action@v1.2
README.md
+10 -3
View File
@@ -19,7 +19,6 @@
| bitwarden | vaultwarden/server:latest |
| bluesky-pds | code.modernleft.org/gravityfargo/bluesky-pds:v0.4.98 |
| browserless | ghcr.io/browserless/chromium:latest |
| bytebase | bytebase/bytebase:3.5.0 |
| bytestash | ghcr.io/jordan-dalby/bytestash:latest |
| castopod | castopod/castopod:latest |
| cloudflared | cloudflare/cloudflared:latest |
@@ -33,10 +32,11 @@
| dawarich-app | freikin/dawarich:latest |
| dawarich-pg-db | postgis/postgis:17-3.5-alpine |
| dawarich-sidekiq | freikin/dawarich:latest |
| dead-man-hand | ghcr.io/bkupidura/dead-man-hand:latest |
| delugevpn | ghcr.io/binhex/arch-delugevpn:latest |
| docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
| docker-volume-backup | offen/docker-volume-backup:v2 |
| duplicati | lscr.io/linuxserver/duplicati:latest |
| excalidraw | excalidraw/excalidraw:latest |
| explo | ghcr.io/lumepart/explo:latest |
| fastenhealth | ghcr.io/fastenhealth/fasten-onprem:main |
| flaresolverr | ghcr.io/flaresolverr/flaresolverr:latest |
@@ -61,6 +61,8 @@
| invidious | quay.io/invidious/invidious:latest |
| invidious-sig-helper | quay.io/invidious/inv-sig-helper:latest |
| invidious-db | docker.io/library/postgres:14 |
| invoice-ninja | invoiceninja/invoiceninja-debian:5 |
| invoice-ninja_proxy | nginx |
| it-tools | ghcr.io/corentinth/it-tools:latest |
| jellyfin | jellyfin/jellyfin |
| jitsi-etherpad | etherpad/etherpad:1.8.6 |
@@ -72,6 +74,7 @@
| jitsi-web | jitsi/web:stable |
| joplin-db | postgres:17-alpine |
| joplin | joplin/server:latest |
| languagetool | elestio/languagetool:latest |
| librechat-api | ghcr.io/danny-avila/librechat-dev:latest |
| librechat-vectordb | ankane/pgvector:latest |
| librechat-rag-api | ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest |
@@ -98,12 +101,15 @@
| ollama | ollama/ollama |
| ombi | lscr.io/linuxserver/ombi:latest |
| omni-tools | iib0011/omni-tools:latest |
| omnipoly | kweg/omnipoly:latest |
| paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
| pgbackweb | eduardolat/pgbackweb:latest |
| pgbackweb-db | postgres:16-alpine |
| plantuml-server | plantuml/plantuml-server:jetty |
| portainer | portainer/portainer-ce:alpine |
| portall | need4swede/portall:latest |
| portnote-web | haedlessdev/portnote:latest |
| portnote-agent | haedlessdev/portnote-agent:latest |
| portnote-pg-db | postgres:17-alpine |
| postal-smtp | ghcr.io/postalserver/postal:latest |
| postal-web | ghcr.io/postalserver/postal:latest |
| postal-worker | ghcr.io/postalserver/postal:latest |
@@ -140,6 +146,7 @@
| wallos | bellamy/wallos:latest |
| watchtower | ghcr.io/containrrr/watchtower:latest |
| web-check | lissy93/web-check |
| whodb | clidey/whodb |
| youtubedl | nbr23/youtube-dl-server:latest |
| zammad-backup | ghcr.io/zammad/zammad:6.5.0-15 |
| zammad-elasticsearch | bitnami/elasticsearch:8.17.4 |
ansible/app-configs/scrutiny_config.yaml.j2 → ansible/app-configs/scrutiny_config_config.yaml.j2
View File
docker-compose.yml
+12 -88
View File
@@ -806,7 +806,7 @@ services:
DOCKER_HOST: tcp://dockerproxy:2375
GID: 1000
BOUNCER_KEY_SWAG: ${CROWDSEC_API_KEY}
COLLECTIONS: crowdsecurity/nginx crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/linux crowdsecurity/iptables
COLLECTIONS: corvese/apache-guacamole crowdsecurity/home-assistant crowdsecurity/http-cve crowdsecurity/iptables crowdsecurity/linux crowdsecurity/mariadb crowdsecurity/nextcloud crowdsecurity/nginx crowdsecurity/whitelist-good-actors Dominic-Wagner/vaultwarden gauth-fr/immich LePresidente/adguardhome LePresidente/authelia LePresidente/gitea LePresidente/jellyfin LePresidente/ombi plague-doctor/audiobookshelf schiz0phr3ne/sonarr sdwilsh/navidrome timokoessler/mongodb timokoessler/uptime-kuma xs539/joplin-server
image: crowdsecurity/crowdsec:latest
networks:
default: null
@@ -1086,6 +1086,15 @@ services:
- dawarich_public:/var/app/public
- dawarich_watched:/var/app/tmp/imports/watched
- ${DOCKER_VOLUME_CONFIG}/dawarich/sidekiq-entrypoint.sh:/usr/local/bin/sidekiq-entrypoint.sh
dead-man-hand:
container_name: dead-man-hand
environment:
DMH_CONFIG_FILE: /data/config.yaml
image: 'ghcr.io/bkupidura/dead-man-hand:latest'
ports:
- '8080:8080'
volumes:
- ${DOCKER_VOLUME_CONFIG}/dead-man-hand/data:/data
delugevpn:
cap_add:
- NET_ADMIN
@@ -1193,87 +1202,6 @@ services:
source: /var/run/docker.sock
target: /var/run/docker.sock
type: bind
docker-volume-backup:
container_name: docker-volume-backup
image: offen/docker-volume-backup:v2
environment:
BACKUP_ARCHIVE: /archive
BACKUP_CRON_EXPRESSION: '@weekly'
BACKUP_COMPRESSION: zst
BACKUP_FILENAME: rinoa-docker-backup-%Y-%m-%dT%H-%M-%S.{{ .Extension }}
BACKUP_FILENAME_EXPAND: true
BACKUP_RETENTION_DAYS: 14
DOCKER_HOST: tcp://dockerproxy:2375
NOTIFICATION_URLS: gotify://gotify/${DV_BKUP_GOTIFY_TOKEN}
restart: always
volumes:
- ${DOCKER_VOLUME_STORAGE}/backups/docker_volume_bkups:/archive
- authelia-pg-db:/backup/authelia-pg-db:ro
- bitmagnet-pg-db:/backup/bitmagnet-pg-db:ro
- bunkerweb-storage:/backup/bunkerweb-storage:ro
- castopod-media:/backup/castopod-media:ro
- crowdsec-config:/backup/crowdsec-config:ro
- crowdsec-db:/backup/crowdsec-db:ro
- dawarich_db_data:/backup/dawarich_db_data:ro
- dawarich_shared:/backup/dawarich_shared:ro
- dawarich_public:/backup/dawarich_public:ro
- dawarich_watched:/backup/dawarich_watched:ro
- docker-volume-bkup-data:/backup/docker-volume-bkup-data:ro
- fastenhealth-cache:/backup/fastenhealth-cache:ro
- fastenhealth-db:/backup/fastenhealth-db:ro
- gitea-pg-db:/backup/gitea-pg-db:ro
- hortusfox_app_backup:/backup/hortusfox_app_backup:ro
- hortusfox_app_images:/backup/hortusfox_app_images:ro
- hortusfox_app_logs:/backup/hortusfox_app_logs:ro
- hortusfox_app_migrate:/backup/hortusfox_app_migrate:ro
- hortusfox_app_themes:/backup/hortusfox_app_themes:ro
- hortusfox_db_data:/backup/hortusfox_db_data:ro
- immich-model-cache:/backup/immich-model-cache:ro
- influxdb2-data:/backup/influxdb2-data:ro
- influxdb2-config:/backup/influxdb2-config:ro
- invidious-postgres:/backup/invidious-postgres:ro
- invoice-ninja_cache:/backup/invoice-ninja_cache:ro
- invoice-ninja_public:/backup/invoice-ninja_public:ro
- invoice-ninja_storage:/backup/invoice-ninja_storage:ro
- jitsi-web-admin-theme:/backup/jitsi-web-admin-theme:ro
- jitsi-web-admin-upload:/backup/jitsi-web-admin-upload:ro
- joplin_data:/backup/joplin_data:ro
- librechat-pg-data:/backup/librechat-pg-data:ro
- libretranslate_models:/backup/libretranslate_models:ro
- lldap_data:/backup/lldap_data:ro
- mastodon-pg-db:/backup/mastodon-pg-db:ro
- mixpost-storage:/backup/mixpost-storage:ro
- mixpost-logs:/backup/mixpost-logs:ro
- mongodb_config:/backup/mongodb_config:ro
- mongodb_data:/backup/mongodb_data:ro
- n8n-data:/backup/n8n-data:ro
- netbird-mgmt:/backup/netbird-mgmt:ro
- netbird-signal:/backup/netbird-signal:ro
- netbird-letsencrypt:/backup/netbird-letsencrypt:ro
- nextcloud_aio_mastercontainer:/backup/nextcloud_aio_mastercontainer:ro
- ollama:/backup/ollama:ro
- paperless-ngx-data:/backup/paperless-ngx-data:ro
- paperless-ngx-media:/backup/paperless-ngx-media:ro
- paperless-ngx-pg:/backup/paperless-ngx-pg:ro
- pgbackweb-data:/backup/pgbackweb-data:ro
- plausible-db-data:/backup/plausible-db-data:ro
- plausible-event-data:/backup/plausible-event-data:ro
- plausible-event-logs:/backup/plausible-event-logs:ro
- portainer-data:/backup/portainer-data:ro
- reactive-resume-pg:/backup/reactive-resume-pg:ro
- semaphore_config:/backup/semaphore_config:ro
- semaphore_data:/backup/semaphore_data:ro
- semaphore_tmp:/backup/semaphore_tmp:ro
- sonarqube-data:/backup/sonarqube-data:ro
- sonarqube-db:/backup/sonarqube-db:ro
- sonarqube-db-data:/backup/sonarqube-db-data:ro
- sonarqube-extensions:/backup/sonarqube-extensions:ro
- sonarqube-logs:/backup/sonarqube-logs:ro
- sonarqube-temp:/backup/sonarqube-temp:ro
- tandoor-pg:/backup/tandoor-pg:ro
- unmanic-cache:/backup/unmanic-cache:ro
- wallos-db:/backup/wallos-db:ro
- wallos-logos:/backup/wallos-logos:ro
duplicati:
container_name: duplicati
environment:
@@ -3986,6 +3914,7 @@ services:
homepage.description: Management for container ports
ports:
- 23186:3000
restart: always
portnote-agent:
container_name: portnote-agent
depends_on:
@@ -3995,6 +3924,7 @@ services:
image: haedlessdev/portnote-agent:latest
environment:
DATABASE_URL: "postgresql://portnote:${PORTNOTE_POSTGRES_PASSWORD}@portnote-pg-db:5432/portnote"
restart: always
portnote-pg-db:
container_name: portnote-pg-db
image: postgres:17-alpine
@@ -5672,12 +5602,6 @@ volumes:
name: paperless-ngx-pg
pgbackweb-data:
name: pgbackweb-data
plausible-db-data:
name: plausible-db-data
plausible-event-data:
name: plausible-event-data
plausible-event-logs:
name: plausible-event-logs
portainer-data:
name: portainer-data
portnote-db-data: