Ansible private key fix (hopefully).

Merged by Trez.One

.gitea/workflows/pr-cloudflare-docker-deploy.yml

@@ -33,6 +33,7 @@ jobs:
         continue-on-error: true
         run: |
           tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
+          tea pr list --repo ${{ github.repository }} --state all
           pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
           echo ${pr_exists}
           echo "exists=$pr_exists" >> $GITHUB_OUTPUT
@@ -73,7 +74,7 @@ jobs:
         with:
           directory: ansible/
           playbook: docker_config_deploy.yml
-          key: ${{secrets.RINOA_ANSIBLE_PRIVATE_KEY}}
+          key: ${{secrets.RINOA_ANSIBLE_PRIVATE_SSH_KEY}}
           options: |
             --inventory inventory/hosts.yml
             --check
@@ -180,13 +181,13 @@ jobs:
           gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
           notification_title: 'GITEA: Cloudflare Setup @ Rinoa'
           notification_message: 'Cloudflare DNS setup completed successfully.'
-  regenerate-readme:
+  regenerate-readme-modified-services:
-    name: Update README
+    name: Update README & Generate List of Modified Services
     runs-on: ubuntu-latest
     needs: [cloudflare-dns-setup]
-    outputs:
+    # outputs:
-      pr-pushed: ${{ steps.commit-readme.outputs.pushed }}
+    #   pr-pushed: ${{ steps.commit-readme.outputs.pushed }}
-      modified_services: ${{ steps.compare-services.outputs.modified_services }}
+    #   modified_services: ${{ steps.compare-services.outputs.modified_services }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -196,6 +197,7 @@ jobs:
       #   run: |
       #     git fetch origin main:main
       # - name: Compare services using yq
+      #   continue-on-error: true
       #   id: compare-services
       #   run: |
       #     current_services=$(yq '.services | to_entries' docker-compose.yml)
@@ -226,7 +228,7 @@ jobs:
           add: "README.md"
   pr-merge:
     name: PR Merge
-    needs: [regenerate-readme]
+    needs: [regenerate-readme-modified-services]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -255,6 +257,7 @@ jobs:
           notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
   ansible-config-docker-compose-deploy:
     name: Deploy via Ansible & Docker Compose
+    timeout-minutes: 360
     runs-on: ubuntu-latest
     needs: [pr-merge]
     env:
@@ -301,12 +304,12 @@ jobs:
         run: |
            vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
       - name: Docker Compose Deployment
-        if: ${{ steps.detect-modified-services.outputs.modified_services != '' }}
+        # if: ${{ steps.regenerate-readme-modified-services.outputs.modified_services != '' }}
         continue-on-error: true
         uses: keatonLiu/docker-compose-remote-action@v1.2
         with:
           docker_compose_file: docker-compose.yml
-          docker_args: -d --remove-orphans --pull missing  --parallel -1 ${{ steps.detect-modified-services.outputs.modified_services }}
+          docker_args: -d --remove-orphans --pull missing
           ssh_user: gitea-deploy
           ssh_host: 192.168.1.254
           ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}

README.md

@@ -6,11 +6,12 @@
 | --- | --- |
 | actual_server | docker.io/actualbudget/actual-server:latest |
 | adguard | adguard/adguardhome:latest |
-| apprise | lscr.io/linuxserver/apprise-api:latest |
 | audiobookshelf | ghcr.io/advplyr/audiobookshelf:latest |
 | authelia | authelia/authelia:master |
 | authelia-pg | postgres:16-alpine |
 | bazarr | lscr.io/linuxserver/bazarr:latest |
+| beszel | henrygd/beszel:latest |
+| beszel-agent | henrygd/beszel-agent:latest |
 | bitmagnet | ghcr.io/bitmagnet-io/bitmagnet:latest |
 | bitmagnet-pg-db | postgres:17-alpine |
 | bitwarden | vaultwarden/server:latest |
@@ -19,11 +20,10 @@
 | castopod | castopod/castopod:latest |
 | cloudflared | cloudflare/cloudflared:latest |
 | cloudflareddns | ghcr.io/hotio/cloudflareddns:latest |
+| cronicle | elestio/cronicle:latest |
 | crowdsec | crowdsecurity/crowdsec:latest |
 | crowdsec-dashboard | metabase/metabase |
 | czkawka | jlesage/czkawka |
-| dagu-scheduler | ghcr.io/dagu-org/dagu:latest |
-| dagu-server | ghcr.io/dagu-org/dagu:latest |
 | dbgate | dbgate/dbgate:alpine |
 | delugevpn | ghcr.io/binhex/arch-delugevpn:latest |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
@@ -58,8 +58,8 @@
 | influxdb2 | influxdb:2-alpine |
 | invidious | quay.io/invidious/invidious:latest |
 | invidious-db | docker.io/library/postgres:14 |
-| invoice_ninja | invoiceninja/invoiceninja:5 |
+| invoice-ninja | invoiceninja/invoiceninja-debian:5 |
-| invoice_ninja_proxy | nginx |
+| invoice-ninja_proxy | nginx |
 | it-tools | ghcr.io/corentinth/it-tools:latest |
 | jellyfin | jellyfin/jellyfin |
 | jitsi-etherpad | etherpad/etherpad:1.8.6 |
@@ -74,8 +74,6 @@
 | lidarr | lscr.io/linuxserver/lidarr:latest |
 | lidify | thewicklowwolf/lidify:latest |
 | lldap | lldap/lldap:stable |
-| lobe-chat | lobehub/lobe-chat-database |
-| lobe-chat-pg-db | pgvector/pgvector:pg16 |
 | maloja | krateng/maloja:latest |
 | mariadb | linuxserver/mariadb |
 | mastodon | lscr.io/linuxserver/mastodon:latest |
@@ -85,17 +83,18 @@
 | multi-scrobbler | foxxmd/multi-scrobbler |
 | n8n | docker.n8n.io/n8nio/n8n |
 | navidrome | deluan/navidrome:latest |
+| netalertx | jokobsk/netalertx:latest |
 | netbird-dashboard | netbirdio/dashboard:latest |
 | netbird-signal | netbirdio/signal:latest |
 | netbird-relay | netbirdio/relay:latest |
 | netbird-management | netbirdio/management:latest |
 | netbird-coturn | coturn/coturn:latest |
-| netbox | lscr.io/linuxserver/netbox:latest |
-| netbox-db | postgres:17-alpine |
 | nextcloud | nextcloud/all-in-one:latest |
 | ollama | ollama/ollama |
 | ombi | lscr.io/linuxserver/ombi:latest |
+| open-webui | ghcr.io/open-webui/open-webui:main |
 | paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
+| parseable | containers.parseable.com/parseable/parseable:latest |
 | pgbackweb | eduardolat/pgbackweb:latest |
 | pgbackweb-db | postgres:16-alpine |
 | plantuml-server | plantuml/plantuml-server:jetty |
@@ -103,6 +102,7 @@
 | plausible_db | postgres:16-alpine |
 | plausible_events_db | clickhouse/clickhouse-server:24.3.3.102-alpine |
 | portainer | portainer/portainer-ce:alpine-sts |
+| portall | need4swede/portall:latest |
 | postal-smtp | ghcr.io/postalserver/postal:latest |
 | postal-web | ghcr.io/postalserver/postal:latest |
 | postal-worker | ghcr.io/postalserver/postal:latest |
@@ -120,10 +120,6 @@
 | scraperr-api | jpyles0524/scraperr_api:latest |
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
 | searxng | searxng/searxng:latest |
-| slurpit-portal | slurpit/portal:latest |
-| slurpit-scanner | slurpit/scanner:latest |
-| slurpit-scraper | slurpit/scraper:latest |
-| slurpit-warehouse | slurpit/warehouse:latest |
 | sonarqube | mc1arke/sonarqube-with-community-branch-plugin:lts |
 | sonarqube-pg-db | postgres:17-alpine |
 | sonarr | lscr.io/linuxserver/sonarr:latest |
@@ -141,13 +137,10 @@
 | unmanic | josh5/unmanic:latest |
 | uptimekuma | louislam/uptime-kuma:latest |
 | vault | hashicorp/vault:latest |
+| vector | timberio/vector:0.44.0-alpine |
 | wallabag | wallabag/wallabag |
 | wallos | bellamy/wallos:latest |
 | watchtower | ghcr.io/containrrr/watchtower:latest |
-| wazuh-agent | kennyopennix/wazuh-agent:latest |
-| wazuh-dashboard | wazuh/wazuh-dashboard: |
-| wazuh-indexer | wazuh/wazuh-indexer: |
-| wazuh-manager | wazuh/wazuh-manager: |
 | web-check | lissy93/web-check |
 | your_spotify | lscr.io/linuxserver/your_spotify:latest |
 | youtubedl | nbr23/youtube-dl-server:latest |

ansible/app-configs/gitea_act-runner_config.yaml.j2

@@ -0,0 +1,101 @@
+# Example configuration file, it's safe to copy this as the default config file without any modification.
+
+# You don't have to copy this file to your instance,
+# just run `./act_runner generate-config > config.yaml` to generate a config file.
+
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: info
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 2
+  # Extra environment variables to run jobs.
+  envs:
+    A_TEST_ENV_NAME_1: a_test_env_value_1
+    A_TEST_ENV_NAME_2: a_test_env_value_2
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # The timeout for the runner to wait for running jobs to finish when shutting down.
+  # Any running jobs that haven't finished after this timeout will be cancelled.
+  shutdown_timeout: 0s
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+  # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `daemon`, will use labels in `.runner` file.
+  labels:
+    - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+    - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
+    - "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: "192.168.1.254"
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 63604
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: "compose_default"
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. 
+  # If the path starts with '/', the '/' will be trimmed.
+  # For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: false
+  # Rebuild docker image(s) even if already present
+  force_rebuild: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:

ansible/app-configs/homepage_settings.yaml.j2

@@ -27,22 +27,22 @@ layout:
     # fiveColumns: true
   Infrastructure/App Performance Monitoring:
     style: row
-    columns: 4
+    columns: 3
+  Code/DevOps:
+    style: row
+    columns: 3
+  Social:
+    style: row
+    columns: 3
+  Lifestyle:
+    style: row
+    columns: 3
   Automation:
     style: columns
     row: 2
-  Code/DevOps:
-    style: columms
-    row: 2
   Privacy/Security:
     style: columns
     row: 5
-  Social:
-    style: columns
-    row: 4
-  Lifestyle:
-    style: row
-    columns: 4
   Personal Services:
     style: row
     columns: 4
@@ -57,4 +57,4 @@ layout:
     columns: 3
   Media Library:
     style: row
-    columns: 4
+    columns: 3

ansible/app-configs/vector.yaml.j2

@@ -0,0 +1,32 @@
+  sources:
+    rinoa_docker_logs:
+      type: docker_logs
+      exclude_containers:
+        - zammad-init
+        - vector
+
+  sinks:
+    parseable:
+      type: http
+      method: post
+      batch:
+        max_bytes: 10485760
+        max_events: 1000
+        timeout_secs: 10
+      compression: gzip
+      inputs:
+        - rinoa_docker_logs
+      encoding:
+        codec: json
+      uri: http://parseable:8000/api/v1/ingest'
+      auth:
+        strategy: basic
+        user: admin
+        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
+      request:
+        headers:
+          X-P-Stream: vectordemo
+      healthcheck:
+        enabled: true
+        path: 'http://parseable:8000/api/v1/liveness'
+        port: 80

ansible/app-configs/vector_vector.yaml.j2

@@ -0,0 +1,31 @@
+  sources:
+    rinoa_docker_logs:
+      type: docker_logs
+      exclude_containers:
+        - zammad-init
+
+  sinks:
+    parseable:
+      type: http
+      method: post
+      batch:
+        max_bytes: 10485760
+        max_events: 1000
+        timeout_secs: 10
+      compression: gzip
+      inputs:
+        - rinoa_docker_logs
+      encoding:
+        codec: json
+      uri: http://parseable:8000/api/v1/ingest'
+      auth:
+        strategy: basic
+        user: admin
+        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
+      request:
+        headers:
+          X-P-Stream: vectordemo
+      healthcheck:
+        enabled: true
+        path: 'http://parseable:8000/api/v1/liveness'
+        port: 80

changes.yml

@@ -1,47 +0,0 @@
-    ports:
-      - 2283:2283
-    restart: always
-    labels:
-      swag_port: 3000
-      swag_url: pics.${MY_TLD}
-      swag.uptime-kuma.enabled: true
-      swag.uptime-kuma.monitor.url: https://pics.${MY_TLD}
-      homepage.group: Lifestyle
-      homepage.name: Immich
-      homepage.href: https://pics.${MY_TLD}
-      homepage.icon: immich.svg
-      homepage.description: High performance self-hosted photo and video management solution
-    restart: always
-  immich-power-tools:
-    container_name: immich-power-tools
-    environment:
-      IMMICH_API_KEY: ${IMMICH_POWER_TOOLS_KEY}
-      IMMICH_URL: http://immich-server:2283
-      EXTERNAL_IMMICH_URL: https://pics.trez.wtf
-    image: ghcr.io/varun-raj/immich-power-tools:latest
-    ports:
-      - 54018:3000
-  influxdb2:
-    container_name: influxdb2
-    environment:
-      DOCKER_INFLUXDB_INIT_MODE: setup
-      DOCKER_INFLUXDB_INIT_USERNAME: admin
-      DOCKER_INFLUXDB_INIT_PASSWORD: ${INFLUXDB2_ADMIN_PASSWORD}
-      DOCKER_INFLUXDB_INIT_ADMIN_TOKEN: /run/secrets/influxdb2-admin-token
-      DOCKER_INFLUXDB_INIT_ORG: rinoa
-      DOCKER_INFLUXDB_INIT_BUCKET: rinoa
-    image: influxdb:2-alpine
-    labels:
-      swag: enable
-      swag_proto: http
-      swag_port: 8086
-      swag_url: influxdb.${MY_TLD}
-      swag.uptime-kuma.enabled: true
-      swag.uptime-kuma.monitor.url: https://influxdb.${MY_TLD}
-      homepage.group: System Administration
-      homepage.name: InfluxDBv2
-      homepage.href: https://influxdb.${MY_TLD}
-      homepage.icon: influxdb.svg
-      homepage.description: Scalable datastore for metrics, events, and real-time analytics
-    ports:
-      - 8086:8086