Ansible private key fix (hopefully).

Merged by Trez.One

.gitea/workflows/pr-cloudflare-docker-deploy.yml

@@ -74,7 +74,7 @@ jobs:
         with:
           directory: ansible/
           playbook: docker_config_deploy.yml
-          key: ${{secrets.RINOA_ANSIBLE_PRIVATE_KEY}}
+          key: ${{secrets.RINOA_ANSIBLE_PRIVATE_SSH_KEY}}
           options: |
             --inventory inventory/hosts.yml
             --check
@@ -257,6 +257,7 @@ jobs:
           notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
   ansible-config-docker-compose-deploy:
     name: Deploy via Ansible & Docker Compose
+    timeout-minutes: 360
     runs-on: ubuntu-latest
     needs: [pr-merge]
     env:
@@ -303,12 +304,12 @@ jobs:
         run: |
            vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
       - name: Docker Compose Deployment
-        if: ${{ steps.regenerate-readme-modified-services.outputs.modified_services != '' }}
+        # if: ${{ steps.regenerate-readme-modified-services.outputs.modified_services != '' }}
         continue-on-error: true
         uses: keatonLiu/docker-compose-remote-action@v1.2
         with:
           docker_compose_file: docker-compose.yml
-          docker_args: -d --remove-orphans --pull missing --parallel -1
+          docker_args: -d --remove-orphans --pull missing
           ssh_user: gitea-deploy
           ssh_host: 192.168.1.254
           ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}

README.md

@@ -20,6 +20,7 @@
 | castopod | castopod/castopod:latest |
 | cloudflared | cloudflare/cloudflared:latest |
 | cloudflareddns | ghcr.io/hotio/cloudflareddns:latest |
+| cronicle | elestio/cronicle:latest |
 | crowdsec | crowdsecurity/crowdsec:latest |
 | crowdsec-dashboard | metabase/metabase |
 | czkawka | jlesage/czkawka |
@@ -82,6 +83,7 @@
 | multi-scrobbler | foxxmd/multi-scrobbler |
 | n8n | docker.n8n.io/n8nio/n8n |
 | navidrome | deluan/navidrome:latest |
+| netalertx | jokobsk/netalertx:latest |
 | netbird-dashboard | netbirdio/dashboard:latest |
 | netbird-signal | netbirdio/signal:latest |
 | netbird-relay | netbirdio/relay:latest |
@@ -92,6 +94,7 @@
 | ombi | lscr.io/linuxserver/ombi:latest |
 | open-webui | ghcr.io/open-webui/open-webui:main |
 | paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
+| parseable | containers.parseable.com/parseable/parseable:latest |
 | pgbackweb | eduardolat/pgbackweb:latest |
 | pgbackweb-db | postgres:16-alpine |
 | plantuml-server | plantuml/plantuml-server:jetty |
@@ -134,6 +137,7 @@
 | unmanic | josh5/unmanic:latest |
 | uptimekuma | louislam/uptime-kuma:latest |
 | vault | hashicorp/vault:latest |
+| vector | timberio/vector:0.44.0-alpine |
 | wallabag | wallabag/wallabag |
 | wallos | bellamy/wallos:latest |
 | watchtower | ghcr.io/containrrr/watchtower:latest |

ansible/app-configs/gitea_act-runner_config.yaml.j2

@@ -0,0 +1,101 @@
+# Example configuration file, it's safe to copy this as the default config file without any modification.
+
+# You don't have to copy this file to your instance,
+# just run `./act_runner generate-config > config.yaml` to generate a config file.
+
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: info
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 2
+  # Extra environment variables to run jobs.
+  envs:
+    A_TEST_ENV_NAME_1: a_test_env_value_1
+    A_TEST_ENV_NAME_2: a_test_env_value_2
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # The timeout for the runner to wait for running jobs to finish when shutting down.
+  # Any running jobs that haven't finished after this timeout will be cancelled.
+  shutdown_timeout: 0s
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+  # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `daemon`, will use labels in `.runner` file.
+  labels:
+    - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+    - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
+    - "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: "192.168.1.254"
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 63604
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: "compose_default"
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. 
+  # If the path starts with '/', the '/' will be trimmed.
+  # For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: false
+  # Rebuild docker image(s) even if already present
+  force_rebuild: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:

ansible/app-configs/vector.yaml.j2

@@ -0,0 +1,32 @@
+  sources:
+    rinoa_docker_logs:
+      type: docker_logs
+      exclude_containers:
+        - zammad-init
+        - vector
+
+  sinks:
+    parseable:
+      type: http
+      method: post
+      batch:
+        max_bytes: 10485760
+        max_events: 1000
+        timeout_secs: 10
+      compression: gzip
+      inputs:
+        - rinoa_docker_logs
+      encoding:
+        codec: json
+      uri: http://parseable:8000/api/v1/ingest'
+      auth:
+        strategy: basic
+        user: admin
+        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
+      request:
+        headers:
+          X-P-Stream: vectordemo
+      healthcheck:
+        enabled: true
+        path: 'http://parseable:8000/api/v1/liveness'
+        port: 80

docker-compose.yml

@@ -617,6 +617,35 @@ services:
         source: /rinoa-storage
         target: /storage
         type: bind
+  cronicle:
+    container_name: cronicle
+    entrypoint: manager
+    environment:
+      CRONICLE_manager: 1
+      CRONICLE_secret_key: "${CRONICLE_SECRET_KEY}"
+      DOCKER_HOST: tcp://dockerproxy:2375
+    hostname: cronicle
+    image: elestio/cronicle:latest
+    labels:
+      homepage.group: Automation
+      homepage.name: Cronicle
+      homepage.href: https://cron.${MY_TLD}
+      homepage.icon: sh-cronicle.png
+      homepage.description: Multi-server task schedule with a web interface
+      swag: enable
+      swag_port: 3012
+      swag_proto: http
+      swag_url: cron.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://cron.${MY_TLD}
+    ports:
+        - 31037:3012
+    restart: always
+    volumes:
+        - ${DOCKER_VOLUME_CONFIG}/cronicle/data:/opt/cronicle/data
+        - ${DOCKER_VOLUME_CONFIG}/cronicle/logs:/opt/cronicle/logs
+        - ${DOCKER_VOLUME_CONFIG}/cronicle/plugins:/opt/cronicle/plugins
+        - ${DOCKER_VOLUME_CONFIG}/cronicle/workloads/app:/app
   crowdsec:
     container_name: crowdsec
     environment:
@@ -1440,266 +1469,6 @@ services:
         type: bind
         bind:
           create_host_path: true
-  grafana:
-    container_name: grafana
-    depends_on:
-      grafana-alloy:
-        condition: service_started
-        required: true
-    environment:
-      GF_INSTALL_PLUGINS: grafana-piechart-panel
-      TZ: America/New_York
-    hostname: Rinoa
-    image: grafana/grafana-enterprise:latest
-    labels:
-      homepage.group: Infrastructure/App Performance Monitoring
-      homepage.name: Grafana (LGTM)
-      homepage.href: https://mon.${MY_TLD}
-      homepage.description: Monitoring Dashboard for metrics, logs, traces, & profiles
-      homepage.icon: grafana.png
-      homepage.widget.type: grafana
-      homepage.widget.url: http://grafana:3000
-      homepage.widget.username: admin
-      homepage.widget.password: ${GRAFANA_ADMIN_PASSWORD}
-      swag: enable
-      swag_proto: http
-      swag_url: mon.${MY_TLD}
-      swag.uptime-kuma.enabled: true
-      swag.uptime-kuma.monitor.url: https://mon.${MY_TLD}
-    networks:
-      default: null
-    ports:
-      - mode: ingress
-        protocol: tcp
-        published: "3006"
-        target: 3000
-    restart: unless-stopped
-    user: 1000:1000
-    volumes:
-      - bind:
-          create_host_path: true
-        read_only: true
-        source: /etc/localtime
-        target: /etc/localtime
-        type: bind
-      - source: ${DOCKER_VOLUME_CONFIG}/grafana/data
-        target: /var/lib/grafana
-        type: bind
-        bind:
-          create_host_path: true
-      - bind:
-          create_host_path: true
-        source: /rinoa-storage
-        target: /storage
-        type: bind
-  grafana-alloy:
-    cap_add:
-      - SYS_ADMIN
-      - SYS_TIME
-      - BPF
-      - SYSLOG
-    command: run --disable-reporting=true --stability.level=public-preview --server.http.listen-addr=0.0.0.0:12345 /etc/alloy/config.alloy
-    container_name: grafana-alloy
-    environment:
-      DOCKER_HOST: tcp://dockerproxy:2375
-    image: grafana/alloy:latest
-    labels:
-      homepage.group: Infrastructure/App Performance Monitoring
-      homepage.name: Grafana Alloy
-      homepage.description: Agent for metric/log/trace/profile collection and writing
-      homepage.href: http://192.168.1.254:12345
-      homepage.icon: sh-grafana-alloy.svg
-    networks:
-      default: null
-    ports:
-      - mode: ingress
-        protocol: tcp
-        published: "12345"
-        target: 12345
-    privileged: true
-    restart: always
-    volumes:
-      - source: ${DOCKER_VOLUME_CONFIG}/grafana/alloy/config.alloy
-        target: /etc/alloy/config.alloy
-        type: bind
-        bind:
-          create_host_path: true
-      - source: ${DOCKER_VOLUME_CONFIG}/grafana/alloy/endpoints.json
-        target: /etc/alloy/endpoints.json
-        type: bind
-        bind:
-          create_host_path: true
-      - bind:
-          create_host_path: true
-        read_only: true
-        source: /proc
-        target: /host/proc
-        type: bind
-      - bind:
-          create_host_path: true
-        read_only: true
-        source: /sys
-        target: /host/sys
-        type: bind
-      - bind:
-          create_host_path: true
-        read_only: true
-        source: /
-        target: /rootfs
-        type: bind
-  grafana-loki:
-    command: -config.file=/etc/loki/loki-config.yaml
-    container_name: grafana-loki
-    depends_on:
-      grafana-alloy:
-        condition: service_started
-        required: true
-    image: grafana/loki:latest
-    networks:
-      default: null
-    ports:
-      - mode: ingress
-        protocol: tcp
-        published: "3100"
-        target: 3100
-    restart: unless-stopped
-    volumes:
-      - source: ${DOCKER_VOLUME_CONFIG}/grafana/loki/loki-config.yaml
-        target: /etc/loki/loki-config.yaml
-        type: bind
-        bind:
-          create_host_path: true
-  grafana-mimir:
-    command:
-      - -ingester.native-histograms-ingestion-enabled=true
-      - -config.file=/etc/mimir.yaml
-    container_name: grafana-mimir
-    depends_on:
-      grafana-alloy:
-        condition: service_started
-        required: true
-    image: grafana/mimir:latest
-    labels:
-      homepage.group: Infrastructure/App Performance Monitoring
-      homepage.name: Grafana Mimir
-      homepage.href: http://192.168.1.254:9009
-      homepage.description: Long-term metrics storage
-      homepage.icon: /icons/grafana-mimir.png
-    networks:
-      default: null
-    ports:
-      - mode: ingress
-        protocol: tcp
-        published: "9009"
-        target: 9009
-    restart: unless-stopped
-    volumes:
-      - source: grafana-mimir-data
-        target: /data
-        type: volume
-        volume: {}
-      - source: ${DOCKER_VOLUME_CONFIG}/grafana/mimir/mimir.yaml
-        target: /etc/mimir.yaml
-        type: bind
-        bind:
-          create_host_path: true
-  grafana-mimir-memcached:
-    container_name: grafana-mimir-memcached
-    depends_on:
-      grafana-alloy:
-        condition: service_started
-        required: true
-    environment:
-      MEMCACHED_MEMORY_LIMIT: 1g
-      MEMCACHED_THREADS: 4
-      MEMCACHED_MAX_CONNECTIONS: 2048
-      MEMCACHED_TCP_PORT: 11211
-      MEMCACHED_UDP_PORT: 11211
-    image: memcached
-    networks:
-      default: null
-    ports:
-      - mode: ingress
-        protocol: tcp
-        published: "11211"
-        target: 11211
-    restart: unless-stopped
-  grafana-pyroscope:
-    command:
-      - -config.file=/etc/pyroscope.yml
-    container_name: grafana-pyroscope
-    depends_on:
-      grafana-alloy:
-        condition: service_started
-        required: true
-    image: grafana/pyroscope:latest
-    labels:
-      homepage.group: Infrastructure/App Performance Monitoring
-      homepage.name: Grafana Pyroscope
-      homepage.description: Profiling for applications
-      homepage.href: http://192.168.1.254:4040
-      homepage.icon: /icons/grafana-pyroscope.svg
-    networks:
-      default: null
-    ports:
-      - mode: ingress
-        protocol: tcp
-        published: "4040"
-        target: 4040
-    restart: unless-stopped
-    volumes:
-      - source: ${DOCKER_VOLUME_CONFIG}/grafana/pyroscope/config.yaml
-        target: /etc/pyroscope.yml
-        type: bind
-        bind:
-          create_host_path: true
-  grafana-tempo:
-    command:
-      - -config.file=/etc/tempo.yaml
-    container_name: grafana-tempo
-    depends_on:
-      grafana-alloy:
-        condition: service_started
-        required: true
-    image: grafana/tempo:latest
-    networks:
-      default: null
-    ports:
-      - mode: ingress
-        protocol: tcp
-        published: "14268"
-        target: 14268
-      - mode: ingress
-        protocol: tcp
-        published: "3200"
-        target: 3200
-      - mode: ingress
-        protocol: tcp
-        published: "9095"
-        target: 9095
-      - mode: ingress
-        protocol: tcp
-        published: "4317"
-        target: 4317
-      - mode: ingress
-        protocol: tcp
-        published: "4318"
-        target: 4318
-      - mode: ingress
-        protocol: tcp
-        published: "9411"
-        target: 9411
-    restart: unless-stopped
-    volumes:
-      - source: grafana-tempo-data
-        target: /var/tempo
-        type: volume
-        volume: {}
-      - source: ${DOCKER_VOLUME_CONFIG}/grafana/tempo/tempo.yaml
-        target: /etc/tempo.yaml
-        type: bind
-        bind:
-          create_host_path: true
   guacamole:
     container_name: guacamole
     environment:
@@ -2259,6 +2028,7 @@ services:
       swag_port: 8096
       swag_proto: http
       swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://jf.${MY_TLD}
     ports:
       - 8487:8096
       - 7359:7359
@@ -3529,6 +3299,9 @@ services:
       homepage.href: https://cloud.${MY_TLD}
       homepage.icon: nextcloud.svg
       homepage.description: Private Cloud
+      homepage.widget.type: nextcloud
+      homepage.widget.url: https://cloud.trez.wtf
+      homepage.widget.token: ${NEXTCLOUD_HOMEPAGE_TOKEN}
       swag: enable
       swag_port: 11000
       swag_proto: http
@@ -3686,6 +3459,7 @@ services:
         bind:
           create_host_path: true
   parseable:
+    container_name: parseable
     command: [ "parseable", "s3-store" ]
     depends_on:
       - minio
@@ -3699,24 +3473,19 @@ services:
       P_S3_ACCESS_KEY: ${PARSEABLE_S3_ACCESS_KEY}
       P_S3_SECRET_KEY: ${PARSEABLE_S3_SECRET_KEY}
       P_S3_REGION: us-east-fh-pln
-    healthcheck:
-      test: [ "CMD", "curl", "-f", "http://localhost:8000/api/v1/liveness" ]
-      interval: 15s
-      timeout: 20s
-      retries: 5
     image: containers.parseable.com/parseable/parseable:latest
     labels:
       homepage.group: Infrastructure/App Performance Monitoring
       homepage.name: Parseable
       homepage.href: https://logs.${MY_TLD}
       homepage.icon: parseable.svg
-      homepage.description: Backups for PostgreSQL
+      homepage.description: Log analytics system for high throughput log ingestion
       swag: enable
       swag_proto: http
       swag_port: 8000
       swag_url: logs.${MY_TLD}
     volumes:
-      - /parseable/staging:/staging
+      - ${DOCKER_VOLUME_CONFIG}/parseable/staging:/staging
     ports:
       - 14453:8000
   pgbackweb: