Adding Dockflare labels for tunnels; renaming Signoz migrator containers.

Merged by Trez.One

.gitea/workflows/pr-ansible-config-deployment.yaml

@@ -6,6 +6,7 @@ on:
       - 'main'
     paths:
       - '**.j2'
+      - '**/pr-ansible-config-deployment.yaml'
       - 'ansible/**.yml'
 jobs:
   check-and-create-pr:
@@ -41,7 +42,7 @@ jobs:
         continue-on-error: true
         run: |
           tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
+          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep '\[ANSIBLE\].*${{ github.ref_name }}' | tail -1 | wc -l)
           echo "exists=$pr_exists" >> $GITHUB_OUTPUT
       - name: Create PR
         if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
@@ -49,7 +50,7 @@ jobs:
           tea login default gitea-rinoa
           pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
           pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose, Ansible Configs.j2"
+          tea pr c -r ${{ github.repository }} -t "[ANSIBLE] Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Ansible Configs.j2"
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:
@@ -58,7 +59,7 @@ jobs:
           notification_title: 'GITEA: PR Check'
           notification_message: 'PR Created 🎟️'
   ansible-linting:
-    name: Docker Compose & Ansible Lints
+    name: Ansible Lint
     needs: [check-and-create-pr]
     runs-on: ubuntu-latest
     env:
@@ -68,9 +69,6 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Fetch base branch
-        run: |
-          git fetch origin ${{ github.event.pull_request.base.ref }}
       - name: Cache Ansible Galaxy Collections
         uses: actions/cache@v3
         with:
@@ -81,11 +79,12 @@ jobs:
       - name: Install Ansible
         uses: alex-oleshkevich/setup-ansible@v1.0.1
         with:
-          version: "11.0.0"
+          version: "11.4.0"
       - name: Install Vault
         uses: cpanato/vault-installer@main
       - name: Install hvac
-        run: pip install hvac
+        run: |
+          pip install hvac
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:
@@ -94,16 +93,17 @@ jobs:
           notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
           notification_message: 'Starting Ansible dry run...'
       - name: Ansible Playbook Dry Run
-        uses: arillso/action.playbook@0.1.0
+        uses: dawidd6/action-ansible-playbook@v3
         with:
-          check: true
+          directory: ansible/
-          galaxy_collections_path: ansible/collections
+          playbook: docker_config_deploy.yml
-          galaxy_requirements_file: ansible/collections/requirements.yml
+          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
-          inventory: ansible/inventory/hosts.yml
-          playbook: ansible/docker_config_deploy.yml
-          private_key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
           vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
-          verbose: 0
+          requirements: collections/requirements.yml
+          options: |
+            --check
+            --inventory inventory/hosts.yml
+            -v
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:
@@ -153,6 +153,10 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: main
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.12
       - name: Cache Vault install
         id: cache-vault
         uses: actions/cache@v4
@@ -162,11 +166,12 @@ jobs:
       - name: Install Ansible
         uses: alex-oleshkevich/setup-ansible@v1.0.1
         with:
-          version: "11.0.0"
+          version: "11.4.0"
       - name: Install Vault
         uses: cpanato/vault-installer@main
       - name: Install hvac
-        run: pip install hvac
+        run: |
+          pip install hvac
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:
@@ -175,15 +180,15 @@ jobs:
           notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
           notification_message: 'Starting config deployment with Ansible...'
       - name: Ansible Playbook Config Deploy
-        uses: arillso/action.playbook@0.1.0
+        uses: dawidd6/action-ansible-playbook@v3
         with:
-          check: false
+          directory: ansible/
-          galaxy_collections_path: ansible/collections
+          playbook: docker_config_deploy.yml
-          galaxy_requirements_file: ansible/collections/requirements.yml
+          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
-          inventory: ansible/inventory/hosts.yml
-          playbook: ansible/docker_config_deploy.yml
-          private_key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
           vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
+          requirements: collections/requirements.yml
+          options: |
+            --inventory inventory/hosts.yml
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:

.gitea/workflows/pr-cloudflare-docker-deploy.yml

@@ -42,7 +42,7 @@ jobs:
         continue-on-error: true
         run: |
           tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
+          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep '\[DOCKER\].*${{ github.ref_name }}' | tail -1 | wc -l)
           echo "exists=$pr_exists" >> $GITHUB_OUTPUT
       - name: Create PR
         if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
@@ -50,7 +50,7 @@ jobs:
           tea login default gitea-rinoa
           pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
           pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose, Ansible Configs.j2"
+          tea pr c -r ${{ github.repository }} -t "[DOCKER] Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose"
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:
@@ -136,14 +136,17 @@ jobs:
       - name: Docker Compose Dry Run
         timeout-minutes: 360
         continue-on-error: true
-        uses: keatonLiu/docker-compose-remote-action@v1.2
+        uses: chaplyk/docker-compose-remote-action@v1.1
         with:
-          docker_compose_file: docker-compose.yml
-          docker_args: -d --remove-orphans --pull missing ${{ steps.modded_svcs.outputs.rinoa_svcs }}
-          ssh_user: gitea-deploy
           ssh_host: 192.168.1.254
-          ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
+          ssh_port: 22
-          ssh_private_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
+          ssh_user: gitea-deploy
+          ssh_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
+          service: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
+          compose_file: docker-compose.yml
+          pull: false
+          build: false
+          options: -d --remove-orphans
         env:
           DOCKER_HOST: tcp://dockerproxy:2375
       - name: Gotify Notification
@@ -296,12 +299,13 @@ jobs:
   docker-compose-deploy:
     name: Docker Compose Deployment
     runs-on: ubuntu-latest
-    needs: [pr-merge]
+    needs: [docker-compose-dry-run, pr-merge]
     env:
       VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
       VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
       DOCKER_HOST: tcp://dockerproxy:2375
       RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
+      DOCKER_SVC_LIST: ${{ needs.docker-compose-dry-run.outputs.svc_deploy_list }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -313,10 +317,6 @@ jobs:
         with:
           path: /opt/hostedtoolcache/vault/1.18.0/x64
           key: vault-${{ runner.os }}-1.18.0
-      - name: Install Ansible
-        uses: alex-oleshkevich/setup-ansible@v1.0.1
-        with:
-          version: "11.0.0"
       - name: Install Vault
         uses: cpanato/vault-installer@main
       - name: Login to Gitea Container Registry
@@ -335,14 +335,19 @@ jobs:
       - name: Docker Compose Deployment
         timeout-minutes: 360
         continue-on-error: true
-        uses: keatonLiu/docker-compose-remote-action@v1.2
+        uses: chaplyk/docker-compose-remote-action@v1.1
+        env:
+          DOCKER_HOST: tcp://dockerproxy:2375
         with:
-          docker_compose_file: docker-compose.yml
-          docker_args: -d --remove-orphans --pull missing ${{ docker-compose-dry-run.outputs.svc_deploy_list }}
-          ssh_user: gitea-deploy
           ssh_host: 192.168.1.254
-          ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
+          ssh_port: 22
-          ssh_private_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
+          ssh_user: gitea-deploy
+          ssh_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
+          service: ${DOCKER_SVC_LIST}
+          compose_file: docker-compose.yml
+          pull: false
+          build: false
+          options: -d --remove-orphans
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:

.gitea/workflows/vault-auto-unseal-flow.yml

@@ -1,7 +1,8 @@
 name: Auto-Unseal for Vault
 on:
+  workflow_dispatch:
   schedule:
-    - cron: "30 2 * * *"
+    - cron: "0 5 * * *"
 jobs:
   auto-unseal:
     name: Unseal Vault

README.md

@@ -39,7 +39,7 @@
 | flaresolverr | ghcr.io/flaresolverr/flaresolverr:latest |
 | freescout | tiredofit/freescout:latest |
 | ghost | ghost:latest |
-| gitea | gitea/gitea:1.23.1 |
+| gitea | gitea/gitea:1.24.0 |
 | gitea-db | postgres:14 |
 | gitea-runner | gitea/act_runner:latest |
 | gitea-sonarqube-bot | justusbunsi/gitea-sonarqube-bot:v0.4.0 |

ansible/app-configs/apprise/apprise.yml.j2

@@ -0,0 +1,6 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+urls:
+  - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
+  - mailto://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf

ansible/app-configs/apprise_apprise.yml.j2

@@ -1,6 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-urls:
-  - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
-  - mailtos://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf

ansible/app-configs/crowdsec/acquis.yaml.j2

@@ -0,0 +1,65 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+source: journalctl
+journalctl_filter:
+  - "--directory=/var/log/host/"
+labels:
+  type: syslog
+---
+filenames:
+  - /var/log/swag/*
+labels:
+  type: nginx
+---
+filenames:
+  - /var/log/auth/auth.log
+labels:
+  type: syslog
+---
+filenames:
+  - /var/lib/mysql/log/mysql/*
+  - /var/lib/mysql/databases/*.err
+  - /var/lib/mysql/databases/*.log
+labels:
+  type: mariadb
+---
+source: docker
+container_name:
+  - adguard
+labels:
+  type: adguardhome
+---
+source: docker
+container_name:
+ - mongodb
+labels:
+  type: mongodb
+---
+source: docker
+container_name:
+ - immich-server
+labels:
+  type: immich
+---
+source: docker
+container_name:
+ - uptimekuma
+labels:
+  type: uptime-kuma
+---
+source: docker
+container_name:
+ - jellyfin
+labels:
+  type: jellyfin
+---
+source: docker
+container_name:
+ - navidrome
+labels:
+  type: navidrome
+---
+filenames:
+  - /var/log/audiobookshelf/*.txt
+labels:
+  type: audiobookshelf

ansible/app-configs/crowdsec/config.yaml.j2

@@ -0,0 +1,51 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+common:
+  daemonize: false
+  log_media: stdout
+  log_level: info
+  log_dir: /var/log/
+config_paths:
+  config_dir: /etc/crowdsec/
+  data_dir: /var/lib/crowdsec/data/
+  simulation_path: /etc/crowdsec/simulation.yaml
+  hub_dir: /etc/crowdsec/hub/
+  index_path: /etc/crowdsec/hub/.index.json
+  notification_dir: /etc/crowdsec/notifications/
+  plugin_dir: /usr/local/lib/crowdsec/plugins/
+crowdsec_service:
+  acquisition_path: /etc/crowdsec/acquis.yaml
+  acquisition_dir: /etc/crowdsec/acquis.d
+  parser_routines: 1
+plugin_config:
+  user: nobody
+  group: nobody
+cscli:
+  output: human
+db_config:
+  log_level: info
+  type: sqlite
+  db_path: /var/lib/crowdsec/data/crowdsec.db
+  flush:
+    max_items: 5000
+    max_age: 7d
+  use_wal: false
+api:
+  client:
+    insecure_skip_verify: false
+    credentials_path: /etc/crowdsec/local_api_credentials.yaml
+  server:
+    log_level: info
+    listen_uri: 0.0.0.0:8080
+    profiles_path: /etc/crowdsec/profiles.yaml
+    trusted_ips: # IP ranges, or IPs which can have admin API access
+      - 127.0.0.1
+      - ::1
+    online_client: # Central API credentials (to push signals and receive bad IPs)
+      credentials_path: /etc/crowdsec/online_api_credentials.yaml
+    enable: true
+prometheus:
+  enabled: true
+  level: full
+  listen_addr: 0.0.0.0
+  listen_port: 6060

ansible/app-configs/crowdsec/online-api-credentials.yaml.j2

@@ -0,0 +1,6 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+url: https://api.crowdsec.net/
+login: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }}
+password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }}

ansible/app-configs/crowdsec_acquis.yaml.j2

@@ -1,15 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-
-source: journalctl
-journalctl_filter: 
-  - "--directory=/var/log/host/"
-labels:
-  type: syslog
----
-filenames:
-  - /var/log/swag/*
-labels:
-  type: nginx
----

ansible/app-configs/signoz/otel/otel-collector-config.yaml.j2

@@ -0,0 +1,103 @@
+receivers:
+  otlp:
+    protocols:
+      grpc:
+        endpoint: 0.0.0.0:4317
+      http:
+        endpoint: 0.0.0.0:4318
+  prometheus:
+    config:
+      global:
+        scrape_interval: 60s
+      scrape_configs:
+        - job_name: otel-collector
+          static_configs:
+          - targets:
+              - localhost:8888
+            labels:
+              job_name: otel-collector
+processors:
+  batch:
+    send_batch_size: 10000
+    send_batch_max_size: 11000
+    timeout: 10s
+  resourcedetection:
+    # Using OTEL_RESOURCE_ATTRIBUTES envvar, env detector adds custom labels.
+    detectors: [env, system]
+    timeout: 2s
+  signozspanmetrics/delta:
+    metrics_exporter: clickhousemetricswrite, signozclickhousemetrics
+    metrics_flush_interval: 60s
+    latency_histogram_buckets: [100us, 1ms, 2ms, 6ms, 10ms, 50ms, 100ms, 250ms, 500ms, 1000ms, 1400ms, 2000ms, 5s, 10s, 20s, 40s, 60s ]
+    dimensions_cache_size: 100000
+    aggregation_temporality: AGGREGATION_TEMPORALITY_DELTA
+    enable_exp_histogram: true
+    dimensions:
+      - name: service.namespace
+        default: default
+      - name: deployment.environment
+        default: default
+      # This is added to ensure the uniqueness of the timeseries
+      # Otherwise, identical timeseries produced by multiple replicas of
+      # collectors result in incorrect APM metrics
+      - name: signoz.collector.id
+      - name: service.version
+      - name: browser.platform
+      - name: browser.mobile
+      - name: k8s.cluster.name
+      - name: k8s.node.name
+      - name: k8s.namespace.name
+      - name: host.name
+      - name: host.type
+      - name: container.name
+extensions:
+  health_check:
+    endpoint: 0.0.0.0:13133
+  pprof:
+    endpoint: 0.0.0.0:1777
+exporters:
+  clickhousetraces:
+    datasource: tcp://clickhouse:9000/signoz_traces
+    low_cardinal_exception_grouping: ${env:LOW_CARDINAL_EXCEPTION_GROUPING}
+    use_new_schema: true
+  clickhousemetricswrite:
+    endpoint: tcp://clickhouse:9000/signoz_metrics
+    disable_v2: true
+    resource_to_telemetry_conversion:
+      enabled: true
+  clickhousemetricswrite/prometheus:
+    endpoint: tcp://clickhouse:9000/signoz_metrics
+    disable_v2: true
+  signozclickhousemetrics:
+    dsn: tcp://clickhouse:9000/signoz_metrics
+  clickhouselogsexporter:
+    dsn: tcp://clickhouse:9000/signoz_logs
+    timeout: 10s
+    use_new_schema: true
+  # debug: {}
+service:
+  telemetry:
+    logs:
+      encoding: json
+    metrics:
+      address: 0.0.0.0:8888
+  extensions:
+    - health_check
+    - pprof
+  pipelines:
+    traces:
+      receivers: [otlp]
+      processors: [signozspanmetrics/delta, batch]
+      exporters: [clickhousetraces]
+    metrics:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [clickhousemetricswrite, signozclickhousemetrics]
+    metrics/prometheus:
+      receivers: [prometheus]
+      processors: [batch]
+      exporters: [clickhousemetricswrite/prometheus, signozclickhousemetrics]
+    logs:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [clickhouselogsexporter]

ansible/app-configs/signoz_common_signoz_otel-collector-opamp-config.yaml.j2

@@ -1 +0,0 @@
-server_endpoint: ws://signoz:4320/v1/opamp

ansible/docker_config_deploy.yml

@@ -1,20 +1,42 @@
----
 - name: Deploy Docker Service Configurations
   hosts: rinoa
   vars:
     appdata_base_path: "~/.docker/config/appdata"
+    template_base_path: "{{ playbook_dir }}/app-configs"
 
   tasks:
+    - name: Recursively collect all Jinja2 templates (*.j2)
+      ansible.builtin.find:
+        paths: "{{ template_base_path }}"
+        patterns: "*.j2"
+        recurse: true
+      register: template_files
+
+    - name: Set relative template path (without .j2) for each file
+      ansible.builtin.set_fact:
+        rel_template_path: >-
+          {{ item.path
+             | regex_replace('^' + (template_base_path | regex_escape) + '/', '')
+             | regex_replace('\\.j2$', '') }}
+      loop: "{{ template_files.files }}"
+      loop_control:
+        loop_var: item
+      register: rel_paths
+
     - name: Ensure target directories exist
       ansible.builtin.file:
-        path: "{{ appdata_base_path }}/{{ (item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') | regex_replace('/[^/]+$', '')) }}"
+        path: "{{ appdata_base_path }}/{{ item.ansible_facts.rel_template_path | dirname }}"
         state: directory
         mode: '0755'
-      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"
+      loop: "{{ rel_paths.results }}"
+      loop_control:
+        label: "{{ item.ansible_facts.rel_template_path }}"
 
-    - name: Deploy configuration templates
+    - name: Deploy rendered templates
       ansible.builtin.template:
-        src: "{{ item }}"
+        src: "{{ item.item.path | regex_replace('^' + (playbook_dir | regex_escape) + '/', '') }}"
-        dest: "{{ appdata_base_path }}/{{ item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') }}"
+        dest: "{{ appdata_base_path }}/{{ item.ansible_facts.rel_template_path }}"
         mode: '0644'
-      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"
+      loop: "{{ rel_paths.results }}"
+      loop_control:
+        label: "{{ item.ansible_facts.rel_template_path }}"

docker-compose.yml

@@ -712,7 +712,29 @@ services:
       DOCKER_HOST: tcp://dockerproxy:2375
       GID: 1000
       BOUNCER_KEY_SWAG: ${CROWDSEC_API_KEY}
-      COLLECTIONS: corvese/apache-guacamole crowdsecurity/home-assistant crowdsecurity/http-cve crowdsecurity/iptables crowdsecurity/linux crowdsecurity/mariadb crowdsecurity/nextcloud crowdsecurity/nginx crowdsecurity/whitelist-good-actors Dominic-Wagner/vaultwarden gauth-fr/immich LePresidente/adguardhome LePresidente/authelia LePresidente/gitea LePresidente/jellyfin LePresidente/ombi plague-doctor/audiobookshelf schiz0phr3ne/sonarr sdwilsh/navidrome timokoessler/mongodb timokoessler/uptime-kuma xs539/joplin-server
+      COLLECTIONS: >-
+        corvese/apache-guacamole
+        crowdsecurity/home-assistant
+        crowdsecurity/http-cve
+        crowdsecurity/iptables
+        crowdsecurity/linux
+        crowdsecurity/mariadb
+        crowdsecurity/nextcloud
+        crowdsecurity/nginx
+        crowdsecurity/whitelist-good-actors
+        Dominic-Wagner/vaultwarden
+        gauth-fr/immich
+        LePresidente/adguardhome
+        LePresidente/authelia
+        LePresidente/gitea
+        LePresidente/jellyfin
+        LePresidente/ombi
+        plague-doctor/audiobookshelf
+        schiz0phr3ne/sonarr
+        sdwilsh/navidrome
+        timokoessler/mongodb
+        timokoessler/uptime-kuma
+        xs539/joplin-server
     image: crowdsecurity/crowdsec:latest
     networks:
       default: null
@@ -722,36 +744,16 @@ services:
     security_opt:
       - no-new-privileges=true
     volumes:
-      - source: ${DOCKER_VOLUME_CONFIG}/crowdsec/config.yaml.local
+      - ${DOCKER_VOLUME_CONFIG}/crowdsec/config.yaml.local:/etc/crowdsec/config.yaml
-        target: /etc/crowdsec/config.yaml.local
+      - ${DOCKER_VOLUME_CONFIG}/crowdsec/local-api-credentials.yaml:/etc/crowdsec/local_api_credentials.yaml
-        type: bind
+      - ${DOCKER_VOLUME_CONFIG}/crowdsec/online-api-credentials.yaml:/etc/crowdsec/online_api_credentials.yaml
-        bind:
+      - ${DOCKER_VOLUME_CONFIG}/swag/log/nginx:/var/log/swag:ro # SWAG
-          create_host_path: true
+      - ${DOCKER_VOLUME_CONFIG}/mariadb/:/var/lib/mysql:ro # MariaDB
-      - source: ${DOCKER_VOLUME_CONFIG}/crowdsec/local_api_credentials.yaml.local
+      - ${DOCKER_VOLUME_CONFIG}/audiobookshelf/.metadata/logs:/var/log/audiobookself:ro # Audiobookshelf
-        target: /etc/crowdsec/local_api_credentials.yaml.local
+      - crowdsec-config:/etc/crowdsec
-        type: bind
+      - crowdsec-db:/var/lib/crowdsec/data
-        bind:
+      - /var/log/journal:/var/log/host:ro
-          create_host_path: true
+      - /var/log/auth.log:/var/log/host/auth.log:ro
-      - read_only: true
-        source: ${DOCKER_VOLUME_CONFIG}/swag/log/nginx
-        target: /var/log/swag
-        type: bind
-        bind:
-          create_host_path: true
-      - source: crowdsec-config
-        target: /etc/crowdsec
-        type: volume
-        volume: {}
-      - source: crowdsec-db
-        target: /var/lib/crowdsec/data
-        type: volume
-        volume: {}
-      - bind:
-          create_host_path: true
-        read_only: true
-        source: /var/log/journal
-        target: /var/log/host
-        type: bind
   crowdsec-dashboard:
     container_name: crowdsec-dashboard
     depends_on:
@@ -1067,6 +1069,7 @@ services:
       homepage.icon: /icons/dockflare.png
       homepage.description: Cloudflare Tunnel controller
       swag: enable
+      swag_auth: authelia
       swag_proto: http
       swag_url: cftunn.${MY_TLD}
       swag.uptime-kuma.enabled: true
@@ -1367,8 +1370,13 @@ services:
       GITEA__mailer__SMTP_PORT: 25
       GITEA__mailer__USER: ${POSTAL_SMTP_AUTH_USER}
       GITEA__mailer__PASSWD: ${POSTAL_SMTP_AUTH_PASSWORD}
-    image: gitea/gitea:1.23.1
+    image: gitea/gitea:1.24.0
     labels:
+      cloudflare.tunnel.enable: true
+      cloudflare.tunnel.hostname: git-ssh.trez.wtf
+      cloudflare.tunnel.service: http://gitea:22
+      cloudflare.tunnel.zonename: trez.wtf
+      cloudflare.tunnel.no_tls_verify: true
       homepage.group: Code/DevOps
       homepage.name: Gitea
       homepage.href: https://git.${MY_TLD}
@@ -4427,6 +4435,11 @@ services:
       - "/dev/sdf:/dev/sdf:rwm"
     image: ghcr.io/analogj/scrutiny:master-omnibus
     labels:
+      cloudflare.tunnel.enable: true
+      cloudflare.tunnel.hostname: smartd.trez.wtf
+      cloudflare.tunnel.service: http://scrutiny:8080
+      cloudflare.tunnel.zonename: trez.wtf
+      cloudflare.tunnel.no_tls_verify: true
       homepage.group: Infrastructure/App Performance Monitoring
       homepage.name: Scrutiny
       homepage.href: http://192.168.1.254:8909
@@ -4657,7 +4670,7 @@ services:
   signoz-schema-migrator-sync:
     <<: *signoz-common
     image: signoz/signoz-schema-migrator:${OTELCOL_TAG:-v0.111.42}
-    container_name: schema-migrator-sync
+    container_name: signoz-schema-migrator-sync
     command:
       - sync
       - --dsn=tcp://signoz-clickhouse:9000
@@ -4669,7 +4682,7 @@ services:
   signoz-schema-migrator-async:
     <<: *signoz-db-depend
     image: signoz/signoz-schema-migrator:${OTELCOL_TAG:-v0.111.42}
-    container_name: schema-migrator-async
+    container_name: signoz-schema-migrator-async
     command:
       - async
       - --dsn=tcp://signoz-clickhouse:9000
@@ -4929,7 +4942,7 @@ services:
       VALIDATION: dns
       CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
       CROWDSEC_LAPI_URL: http://crowdsec:8080
-      DOCKER_MODS: linuxserver/mods:universal-docker|linuxserver/mods:swag-auto-reload|linuxserver/mods:swag-auto-proxy|linuxserver/mods:swag-dashboard|linuxserver/mods:swag-maxmind|linuxserver/mods:universal-stdout-logs|linuxserver/mods:universal-package-install #|ghcr.io/linuxserver/mods:swag-crowdsec#|linuxserver/mods:swag-auto-uptime-kuma
+      DOCKER_MODS: linuxserver/mods:universal-docker|linuxserver/mods:swag-auto-reload|linuxserver/mods:swag-auto-proxy|linuxserver/mods:swag-dashboard|linuxserver/mods:swag-maxmind|linuxserver/mods:universal-stdout-logs|linuxserver/mods:universal-package-install|ghcr.io/linuxserver/mods:swag-crowdsec #|linuxserver/mods:swag-auto-uptime-kuma
       INSTALL_PACKAGES: nginx-mod-http-js
       PROPAGATION: 30
       UPTIME_KUMA_PASSWORD: ${UPTIME_KUMA_PASSWORD}