chore: Update README

2025-06-11 22:43:57 +00:00
80 changed files with 61 additions and 274 deletions
@@ -6,7 +6,6 @@ on:
      - 'main'
    paths:
      - '**.j2'
      - '**/pr-ansible-config-deployment.yaml'
      - 'ansible/**.yml'
 jobs:
  check-and-create-pr:
@@ -42,7 +41,7 @@ jobs:
        continue-on-error: true
        run: |
          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep '\[ANSIBLE\].*${{ github.ref_name }}' | tail -1 | wc -l)
+          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
      - name: Create PR
        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
@@ -50,7 +49,7 @@ jobs:
          tea login default gitea-rinoa
          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
          pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "[ANSIBLE] Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Ansible Configs.j2"
+          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Ansible Configs.j2"
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -59,7 +58,7 @@ jobs:
          notification_title: 'GITEA: PR Check'
          notification_message: 'PR Created 🎟️'
  ansible-linting:
-    name: Ansible Lint
+    name: Docker Compose & Ansible Lints
    needs: [check-and-create-pr]
    runs-on: ubuntu-latest
    env:
@@ -69,6 +68,9 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Fetch base branch
        run: |
          git fetch origin ${{ github.event.pull_request.base.ref }}
      - name: Cache Ansible Galaxy Collections
        uses: actions/cache@v3
        with:
@@ -79,12 +81,11 @@ jobs:
      - name: Install Ansible
        uses: alex-oleshkevich/setup-ansible@v1.0.1
        with:
-          version: "11.4.0"
+          version: "11.0.0"
      - name: Install Vault
        uses: cpanato/vault-installer@main
      - name: Install hvac
-        run: |
+        run: pip install hvac
          pip install hvac
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -93,17 +94,16 @@ jobs:
          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
          notification_message: 'Starting Ansible dry run...'
      - name: Ansible Playbook Dry Run
-        uses: dawidd6/action-ansible-playbook@v3
+        uses: arillso/action.playbook@0.1.0
        with:
-          directory: ansible/
+          check: true
-          playbook: docker_config_deploy.yml
+          galaxy_collections_path: ansible/collections
-          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
+          galaxy_requirements_file: ansible/collections/requirements.yml
          inventory: ansible/inventory/hosts.yml
          playbook: ansible/docker_config_deploy.yml
          private_key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
-          requirements: collections/requirements.yml
+          verbose: 0
          options: |
            --check
            --inventory inventory/hosts.yml
            -v
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -153,10 +153,6 @@ jobs:
        uses: actions/checkout@v4
        with:
          ref: main
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: 3.12
      - name: Cache Vault install
        id: cache-vault
        uses: actions/cache@v4
@@ -166,12 +162,11 @@ jobs:
      - name: Install Ansible
        uses: alex-oleshkevich/setup-ansible@v1.0.1
        with:
-          version: "11.4.0"
+          version: "11.0.0"
      - name: Install Vault
        uses: cpanato/vault-installer@main
      - name: Install hvac
-        run: |
+        run: pip install hvac
          pip install hvac
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -180,15 +175,15 @@ jobs:
          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
          notification_message: 'Starting config deployment with Ansible...'
      - name: Ansible Playbook Config Deploy
-        uses: dawidd6/action-ansible-playbook@v3
+        uses: arillso/action.playbook@0.1.0
        with:
-          directory: ansible/
+          check: false
-          playbook: docker_config_deploy.yml
+          galaxy_collections_path: ansible/collections
-          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
+          galaxy_requirements_file: ansible/collections/requirements.yml
          inventory: ansible/inventory/hosts.yml
          playbook: ansible/docker_config_deploy.yml
          private_key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
          requirements: collections/requirements.yml
          options: |
            --inventory inventory/hosts.yml
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -42,7 +42,7 @@ jobs:
        continue-on-error: true
        run: |
          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep '\[DOCKER\].*${{ github.ref_name }}' | tail -1 | wc -l)
+          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
      - name: Create PR
        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
@@ -50,7 +50,7 @@ jobs:
          tea login default gitea-rinoa
          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
          pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "[DOCKER] Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose"
+          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose"
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -317,6 +317,10 @@ jobs:
        with:
          path: /opt/hostedtoolcache/vault/1.18.0/x64
          key: vault-${{ runner.os }}-1.18.0
      - name: Install Ansible
        uses: alex-oleshkevich/setup-ansible@v1.0.1
        with:
          version: "11.0.0"
      - name: Install Vault
        uses: cpanato/vault-installer@main
      - name: Login to Gitea Container Registry
@@ -332,7 +336,7 @@ jobs:
      - name: Generate .env file for deployment
        run: |
           vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
-      - name: Docker Compose Deployment
+      - name: Docker Compose Dry Run
        timeout-minutes: 360
        continue-on-error: true
        uses: chaplyk/docker-compose-remote-action@v1.1
@@ -1,8 +1,7 @@
 name: Auto-Unseal for Vault
 on:
  workflow_dispatch:
  schedule:
-    - cron: "0 5 * * *"
+    - cron: "30 2 * * *"
 jobs:
  auto-unseal:
    name: Unseal Vault
@@ -1,65 +0,0 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 source: journalctl
 journalctl_filter:
  - "--directory=/var/log/host/"
 labels:
  type: syslog
 ---
 filenames:
  - /var/log/swag/*
 labels:
  type: nginx
 ---
 filenames:
  - /var/log/auth/auth.log
 labels:
  type: syslog
 ---
 filenames:
  - /var/lib/mysql/log/mysql/*
  - /var/lib/mysql/databases/*.err
  - /var/lib/mysql/databases/*.log
 labels:
  type: mariadb
 ---
 source: docker
 container_name:
  - adguard
 labels:
  type: adguardhome
 ---
 source: docker
 container_name:
 - mongodb
 labels:
  type: mongodb
 ---
 source: docker
 container_name:
 - immich-server
 labels:
  type: immich
 ---
 source: docker
 container_name:
 - uptimekuma
 labels:
  type: uptime-kuma
 ---
 source: docker
 container_name:
 - jellyfin
 labels:
  type: jellyfin
 ---
 source: docker
 container_name:
 - navidrome
 labels:
  type: navidrome
 ---
 filenames:
  - /var/log/audiobookshelf/*.txt
 labels:
  type: audiobookshelf
@@ -0,0 +1,15 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 source: journalctl
 journalctl_filter: 
  - "--directory=/var/log/host/"
 labels:
  type: syslog
 ---
 filenames:
  - /var/log/swag/*
 labels:
  type: nginx
 ---
@@ -1,5 +1,3 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 common:
  daemonize: false
  log_media: stdout
@@ -1,103 +0,0 @@
 receivers:
  otlp:
    protocols:
      grpc:
        endpoint: 0.0.0.0:4317
      http:
        endpoint: 0.0.0.0:4318
  prometheus:
    config:
      global:
        scrape_interval: 60s
      scrape_configs:
        - job_name: otel-collector
          static_configs:
          - targets:
              - localhost:8888
            labels:
              job_name: otel-collector
 processors:
  batch:
    send_batch_size: 10000
    send_batch_max_size: 11000
    timeout: 10s
  resourcedetection:
    # Using OTEL_RESOURCE_ATTRIBUTES envvar, env detector adds custom labels.
    detectors: [env, system]
    timeout: 2s
  signozspanmetrics/delta:
    metrics_exporter: clickhousemetricswrite, signozclickhousemetrics
    metrics_flush_interval: 60s
    latency_histogram_buckets: [100us, 1ms, 2ms, 6ms, 10ms, 50ms, 100ms, 250ms, 500ms, 1000ms, 1400ms, 2000ms, 5s, 10s, 20s, 40s, 60s ]
    dimensions_cache_size: 100000
    aggregation_temporality: AGGREGATION_TEMPORALITY_DELTA
    enable_exp_histogram: true
    dimensions:
      - name: service.namespace
        default: default
      - name: deployment.environment
        default: default
      # This is added to ensure the uniqueness of the timeseries
      # Otherwise, identical timeseries produced by multiple replicas of
      # collectors result in incorrect APM metrics
      - name: signoz.collector.id
      - name: service.version
      - name: browser.platform
      - name: browser.mobile
      - name: k8s.cluster.name
      - name: k8s.node.name
      - name: k8s.namespace.name
      - name: host.name
      - name: host.type
      - name: container.name
 extensions:
  health_check:
    endpoint: 0.0.0.0:13133
  pprof:
    endpoint: 0.0.0.0:1777
 exporters:
  clickhousetraces:
    datasource: tcp://clickhouse:9000/signoz_traces
    low_cardinal_exception_grouping: ${env:LOW_CARDINAL_EXCEPTION_GROUPING}
    use_new_schema: true
  clickhousemetricswrite:
    endpoint: tcp://clickhouse:9000/signoz_metrics
    disable_v2: true
    resource_to_telemetry_conversion:
      enabled: true
  clickhousemetricswrite/prometheus:
    endpoint: tcp://clickhouse:9000/signoz_metrics
    disable_v2: true
  signozclickhousemetrics:
    dsn: tcp://clickhouse:9000/signoz_metrics
  clickhouselogsexporter:
    dsn: tcp://clickhouse:9000/signoz_logs
    timeout: 10s
    use_new_schema: true
  # debug: {}
 service:
  telemetry:
    logs:
      encoding: json
    metrics:
      address: 0.0.0.0:8888
  extensions:
    - health_check
    - pprof
  pipelines:
    traces:
      receivers: [otlp]
      processors: [signozspanmetrics/delta, batch]
      exporters: [clickhousetraces]
    metrics:
      receivers: [otlp]
      processors: [batch]
      exporters: [clickhousemetricswrite, signozclickhousemetrics]
    metrics/prometheus:
      receivers: [prometheus]
      processors: [batch]
      exporters: [clickhousemetricswrite/prometheus, signozclickhousemetrics]
    logs:
      receivers: [otlp]
      processors: [batch]
      exporters: [clickhouselogsexporter]
@@ -0,0 +1 @@
 server_endpoint: ws://signoz:4320/v1/opamp
@@ -1,42 +1,20 @@
 ---
 - name: Deploy Docker Service Configurations
  hosts: rinoa
  vars:
    appdata_base_path: "~/.docker/config/appdata"
    template_base_path: "{{ playbook_dir }}/app-configs"
  tasks:
    - name: Recursively collect all Jinja2 templates (*.j2)
      ansible.builtin.find:
        paths: "{{ template_base_path }}"
        patterns: "*.j2"
        recurse: true
      register: template_files
    - name: Set relative template path (without .j2) for each file
      ansible.builtin.set_fact:
        rel_template_path: >-
          {{ item.path
             | regex_replace('^' + (template_base_path | regex_escape) + '/', '')
             | regex_replace('\\.j2$', '') }}
      loop: "{{ template_files.files }}"
      loop_control:
        loop_var: item
      register: rel_paths
    - name: Ensure target directories exist
      ansible.builtin.file:
-        path: "{{ appdata_base_path }}/{{ item.ansible_facts.rel_template_path | dirname }}"
+        path: "{{ appdata_base_path }}/{{ (item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') | regex_replace('/[^/]+$', '')) }}"
        state: directory
        mode: '0755'
-      loop: "{{ rel_paths.results }}"
+      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"
      loop_control:
        label: "{{ item.ansible_facts.rel_template_path }}"
-    - name: Deploy rendered templates
+    - name: Deploy configuration templates
      ansible.builtin.template:
-        src: "{{ item.item.path | regex_replace('^' + (playbook_dir | regex_escape) + '/', '') }}"
+        src: "{{ item }}"
-        dest: "{{ appdata_base_path }}/{{ item.ansible_facts.rel_template_path }}"
+        dest: "{{ appdata_base_path }}/{{ item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') }}"
        mode: '0644'
-      loop: "{{ rel_paths.results }}"
+      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"
      loop_control:
        label: "{{ item.ansible_facts.rel_template_path }}"
@@ -712,29 +712,7 @@ services:
      DOCKER_HOST: tcp://dockerproxy:2375
      GID: 1000
      BOUNCER_KEY_SWAG: ${CROWDSEC_API_KEY}
-      COLLECTIONS: >-
+      COLLECTIONS: corvese/apache-guacamole crowdsecurity/home-assistant crowdsecurity/http-cve crowdsecurity/iptables crowdsecurity/linux crowdsecurity/mariadb crowdsecurity/nextcloud crowdsecurity/nginx crowdsecurity/whitelist-good-actors Dominic-Wagner/vaultwarden gauth-fr/immich LePresidente/adguardhome LePresidente/authelia LePresidente/gitea LePresidente/jellyfin LePresidente/ombi plague-doctor/audiobookshelf schiz0phr3ne/sonarr sdwilsh/navidrome timokoessler/mongodb timokoessler/uptime-kuma xs539/joplin-server
        corvese/apache-guacamole
        crowdsecurity/home-assistant
        crowdsecurity/http-cve
        crowdsecurity/iptables
        crowdsecurity/linux
        crowdsecurity/mariadb
        crowdsecurity/nextcloud
        crowdsecurity/nginx
        crowdsecurity/whitelist-good-actors
        Dominic-Wagner/vaultwarden
        gauth-fr/immich
        LePresidente/adguardhome
        LePresidente/authelia
        LePresidente/gitea
        LePresidente/jellyfin
        LePresidente/ombi
        plague-doctor/audiobookshelf
        schiz0phr3ne/sonarr
        sdwilsh/navidrome
        timokoessler/mongodb
        timokoessler/uptime-kuma
        xs539/joplin-server
    image: crowdsecurity/crowdsec:latest
    networks:
      default: null
@@ -747,13 +725,10 @@ services:
      - ${DOCKER_VOLUME_CONFIG}/crowdsec/config.yaml.local:/etc/crowdsec/config.yaml
      - ${DOCKER_VOLUME_CONFIG}/crowdsec/local-api-credentials.yaml:/etc/crowdsec/local_api_credentials.yaml
      - ${DOCKER_VOLUME_CONFIG}/crowdsec/online-api-credentials.yaml:/etc/crowdsec/online_api_credentials.yaml
-      - ${DOCKER_VOLUME_CONFIG}/swag/log/nginx:/var/log/swag:ro # SWAG
+      - ${DOCKER_VOLUME_CONFIG}/swag/log/nginx:/var/log/swag:ro
      - ${DOCKER_VOLUME_CONFIG}/mariadb/:/var/lib/mysql:ro # MariaDB
      - ${DOCKER_VOLUME_CONFIG}/audiobookshelf/.metadata/logs:/var/log/audiobookself:ro # Audiobookshelf
      - crowdsec-config:/etc/crowdsec
      - crowdsec-db:/var/lib/crowdsec/data
      - /var/log/journal:/var/log/host:ro
      - /var/log/auth.log:/var/log/host/auth.log:ro
  crowdsec-dashboard:
    container_name: crowdsec-dashboard
    depends_on:
@@ -1372,11 +1347,6 @@ services:
      GITEA__mailer__PASSWD: ${POSTAL_SMTP_AUTH_PASSWORD}
    image: gitea/gitea:1.24.0
    labels:
      cloudflare.tunnel.enable: true
      cloudflare.tunnel.hostname: git-ssh.trez.wtf
      cloudflare.tunnel.service: http://gitea:22
      cloudflare.tunnel.zonename: trez.wtf
      cloudflare.tunnel.no_tls_verify: true
      homepage.group: Code/DevOps
      homepage.name: Gitea
      homepage.href: https://git.${MY_TLD}
@@ -4435,11 +4405,6 @@ services:
      - "/dev/sdf:/dev/sdf:rwm"
    image: ghcr.io/analogj/scrutiny:master-omnibus
    labels:
      cloudflare.tunnel.enable: true
      cloudflare.tunnel.hostname: smartd.trez.wtf
      cloudflare.tunnel.service: http://scrutiny:8080
      cloudflare.tunnel.zonename: trez.wtf
      cloudflare.tunnel.no_tls_verify: true
      homepage.group: Infrastructure/App Performance Monitoring
      homepage.name: Scrutiny
      homepage.href: http://192.168.1.254:8909
@@ -4670,7 +4635,7 @@ services:
  signoz-schema-migrator-sync:
    <<: *signoz-common
    image: signoz/signoz-schema-migrator:${OTELCOL_TAG:-v0.111.42}
-    container_name: signoz-schema-migrator-sync
+    container_name: schema-migrator-sync
    command:
      - sync
      - --dsn=tcp://signoz-clickhouse:9000
@@ -4682,7 +4647,7 @@ services:
  signoz-schema-migrator-async:
    <<: *signoz-db-depend
    image: signoz/signoz-schema-migrator:${OTELCOL_TAG:-v0.111.42}
-    container_name: signoz-schema-migrator-async
+    container_name: schema-migrator-async
    command:
      - async
      - --dsn=tcp://signoz-clickhouse:9000
@@ -4942,7 +4907,7 @@ services:
      VALIDATION: dns
      CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
      CROWDSEC_LAPI_URL: http://crowdsec:8080
-      DOCKER_MODS: linuxserver/mods:universal-docker|linuxserver/mods:swag-auto-reload|linuxserver/mods:swag-auto-proxy|linuxserver/mods:swag-dashboard|linuxserver/mods:swag-maxmind|linuxserver/mods:universal-stdout-logs|linuxserver/mods:universal-package-install|ghcr.io/linuxserver/mods:swag-crowdsec #|linuxserver/mods:swag-auto-uptime-kuma
+      DOCKER_MODS: linuxserver/mods:universal-docker|linuxserver/mods:swag-auto-reload|linuxserver/mods:swag-auto-proxy|linuxserver/mods:swag-dashboard|linuxserver/mods:swag-maxmind|linuxserver/mods:universal-stdout-logs|linuxserver/mods:universal-package-install #|ghcr.io/linuxserver/mods:swag-crowdsec#|linuxserver/mods:swag-auto-uptime-kuma
      INSTALL_PACKAGES: nginx-mod-http-js
      PROPAGATION: 30
      UPTIME_KUMA_PASSWORD: ${UPTIME_KUMA_PASSWORD}