chore: Update README

Merged by Trez.One

.gitea/workflows/pr-ansible-config-deployment.yaml

@@ -1,5 +1,6 @@
 name: Gitea Branch PR & Ansible Deployment
 on:
+  workflow_dispatch:
   push:
     branches-ignore:
       - 'main'
@@ -139,8 +140,8 @@ jobs:
           gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
           notification_title: 'GITEA: PR Merge Successful'
           notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
-  ansible-config-docker-compose-deploy:
+  ansible-config-deploy:
-    name: Ansible Configs & Docker Compose Deployment
+    name: Ansible Config Deployment
     runs-on: ubuntu-latest
     needs: [pr-merge]
     env:
@@ -173,7 +174,7 @@ jobs:
           gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
           notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
           notification_message: 'Starting config deployment with Ansible...'
-      - name: Ansible Playbook Dry Run
+      - name: Ansible Playbook Config Deploy
         uses: arillso/action.playbook@0.1.0
         with:
           check: false

.gitea/workflows/pr-cloudflare-docker-deploy.yml

@@ -1,5 +1,6 @@
 name: Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment
 on:
+  workflow_dispatch:
   push:
     branches-ignore:
       - 'main'
@@ -65,6 +66,7 @@ jobs:
       VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
       VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
       VAULT_NAMESPACE: ""
+      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
     outputs:
       svc_deploy_list: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
     steps:
@@ -75,7 +77,7 @@ jobs:
           git fetch origin ${{ github.event.pull_request.base.ref }}
       - name: Login to Gitea Container Registry
         run: |
-          docker login -u gitea-sonarqube-bot -p ${{ secrets.BOT_GITEA_TOKEN }} https://git.trez.wtf
+          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
       - name: Save both versions of docker-compose.yml
         run: |
           git show origin/main:docker-compose.yml > docker-compose-main.yml || touch docker-compose-main.yml
@@ -299,6 +301,7 @@ jobs:
       VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
       VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
       DOCKER_HOST: tcp://dockerproxy:2375
+      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -318,7 +321,7 @@ jobs:
         uses: cpanato/vault-installer@main
       - name: Login to Gitea Container Registry
         run: |
-          docker login -u gitea-sonarqube-bot -p ${{ secrets.BOT_GITEA_TOKEN }} http://gitea:3000
+          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:

README.md

@@ -31,11 +31,13 @@
 | dawarich-sidekiq | freikin/dawarich:latest |
 | dead-man-hand | ghcr.io/bkupidura/dead-man-hand:latest |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
+| dockflare | alplat/dockflare:stable |
 | duplicati | lscr.io/linuxserver/duplicati:latest |
 | excalidraw | excalidraw/excalidraw:latest |
 | explo | ghcr.io/lumepart/explo:latest |
 | fastenhealth | ghcr.io/fastenhealth/fasten-onprem:main |
 | flaresolverr | ghcr.io/flaresolverr/flaresolverr:latest |
+| freescout | tiredofit/freescout:latest |
 | ghost | ghost:latest |
 | gitea | gitea/gitea:1.23.1 |
 | gitea-db | postgres:14 |
@@ -85,8 +87,11 @@
 | mariadb | linuxserver/mariadb |
 | mastodon | lscr.io/linuxserver/mastodon:latest |
 | mastodon-pg-db | postgres:17-alpine |
+| maxun-backend | getmaxun/maxun-backend:latest |
+| maxun-frontend | getmaxun/maxun-frontend:latest |
+| maxun-pg-db | postgres:13-alpine |
 | meilisearch | getmeili/meilisearch:v1.12.3 |
-| minio | minio/minio |
+| minio | minio/minio:RELEASE.2025-04-22T22-12-26Z |
 | mixpost | inovector/mixpost:latest |
 | mongodb | bitnami/mongodb:7.0 |
 | multi-scrobbler | foxxmd/multi-scrobbler |
@@ -122,11 +127,16 @@
 | romm | rommapp/romm:latest |
 | sabnzbdvpn | ghcr.io/binhex/arch-sabnzbdvpn:latest |
 | sablier | sablierapp/sablier:latest |
-| scraperr | jpyles0524/scraperr:latest |
-| scraperr-api | jpyles0524/scraperr_api:latest |
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
 | searxng | searxng/searxng:latest |
 | semaphore | semaphoreui/semaphore:v2.12.14 |
+| signoz-init-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
+| signoz-zookeeper-1 | bitnami/zookeeper:3.7.1 |
+| signoz-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
+| signoz-app | signoz/signoz:v0.86.2 |
+| signoz-otel-collector | signoz/signoz-otel-collector:v0.111.42 |
+| signoz-schema-migrator-sync | signoz/signoz-schema-migrator:v0.111.42 |
+| signoz-schema-migrator-async | signoz/signoz-schema-migrator:v0.111.42 |
 | sonarqube | mc1arke/sonarqube-with-community-branch-plugin:lts |
 | sonarqube-pg-db | postgres:17-alpine |
 | sonarr | lscr.io/linuxserver/sonarr:latest |
@@ -147,14 +157,4 @@
 | web-check | lissy93/web-check |
 | whodb | clidey/whodb |
 | youtubedl | nbr23/youtube-dl-server:latest |
-| zammad-backup | ghcr.io/zammad/zammad:6.5.0-15 |
-| zammad-elasticsearch | bitnami/elasticsearch:8.17.4 |
-| zammad-init | ghcr.io/zammad/zammad:6.5.0-15 |
-| zammad-memcached | memcached:1.6.38-alpine |
-| zammad-nginx | ghcr.io/zammad/zammad:6.5.0-15 |
-| zammad-postgresql | postgres:17.4-alpine |
-| zammad-railsserver | ghcr.io/zammad/zammad:6.5.0-15 |
-| zammad-redis | redis:7.4.2-alpine |
-| zammad-scheduler | ghcr.io/zammad/zammad:6.5.0-15 |
-| zammad-websocket | ghcr.io/zammad/zammad:6.5.0-15 |
 

ansible/app-configs/AdGuardHome.yaml.j2

@@ -0,0 +1,199 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+http:
+  pprof:
+    port: 6060
+    enabled: false
+  address: 0.0.0.0:8008
+  session_ttl: 720h
+users:
+  - name: admin
+    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ADGUARD_BCRYPT'] }}
+auth_attempts: 5
+block_auth_min: 15
+http_proxy: ""
+language: ""
+theme: auto
+dns:
+  bind_hosts:
+    - 0.0.0.0
+  port: 53
+  anonymize_client_ip: false
+  ratelimit: 20
+  ratelimit_subnet_len_ipv4: 24
+  ratelimit_subnet_len_ipv6: 56
+  ratelimit_whitelist: []
+  refuse_any: true
+  upstream_dns:
+    - 94.140.14.14
+    - 94.140.15.15
+    - https://dns.adguard-dns.com/dns-query
+    - tls://dns.adguard-dns.com
+    - quic://dns.adguard-dns.com
+    - 1.1.1.1
+    - 1.0.0.1
+    - 1.1.1.2
+    - 1.0.0.2
+    - 185.228.168.9
+    - 185.228.169.9
+    - 76.76.2.3
+    - tls://getdnsapi.net
+    - 185.49.141.37
+    - tls://dot.seby.io
+  upstream_dns_file: ""
+  bootstrap_dns:
+    - 9.9.9.10
+    - 149.112.112.10
+    - 2620:fe::10
+    - 2620:fe::fe:10
+  fallback_dns: []
+  upstream_mode: load_balance
+  fastest_timeout: 1s
+  allowed_clients: []
+  disallowed_clients: []
+  blocked_hosts:
+    - version.bind
+    - id.server
+    - hostname.bind
+  trusted_proxies:
+    - 127.0.0.0/8
+    - ::1/128
+  cache_size: 4194304
+  cache_ttl_min: 0
+  cache_ttl_max: 0
+  cache_optimistic: false
+  bogus_nxdomain: []
+  aaaa_disabled: false
+  enable_dnssec: false
+  edns_client_subnet:
+    custom_ip: ""
+    enabled: false
+    use_custom: false
+  max_goroutines: 300
+  handle_ddr: true
+  ipset: []
+  ipset_file: ""
+  bootstrap_prefer_ipv6: false
+  upstream_timeout: 10s
+  private_networks: []
+  use_private_ptr_resolvers: false
+  local_ptr_upstreams: []
+  use_dns64: false
+  dns64_prefixes: []
+  serve_http3: false
+  use_http3_upstreams: false
+  serve_plain_dns: true
+  hostsfile_enabled: true
+  pending_requests:
+    enabled: true
+tls:
+  enabled: true
+  server_name: ""
+  force_https: false
+  port_https: 446
+  port_dns_over_tls: 853
+  port_dns_over_quic: 853
+  port_dnscrypt: 0
+  dnscrypt_config_file: ""
+  allow_unencrypted_doh: false
+  certificate_chain: ""
+  private_key: ""
+  certificate_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
+  private_key_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
+  strict_sni_check: false
+querylog:
+  dir_path: ""
+  ignored: []
+  interval: 2160h
+  size_memory: 1000
+  enabled: true
+  file_enabled: true
+statistics:
+  dir_path: ""
+  ignored: []
+  interval: 24h
+  enabled: true
+filters:
+  - enabled: true
+    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
+    name: AdGuard DNS filter
+    id: 1
+  - enabled: false
+    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
+    name: AdAway Default Blocklist
+    id: 2
+whitelist_filters: []
+user_rules: []
+dhcp:
+  enabled: false
+  interface_name: ""
+  local_domain_name: lan
+  dhcpv4:
+    gateway_ip: 192.168.1.1
+    subnet_mask: 255.255.255.0
+    range_start: 192.168.1.2
+    range_end: 192.168.1.240
+    lease_duration: 86400
+    icmp_timeout_msec: 1000
+    options: []
+  dhcpv6:
+    range_start: ""
+    lease_duration: 86400
+    ra_slaac_only: false
+    ra_allow_slaac: false
+filtering:
+  blocking_ipv4: ""
+  blocking_ipv6: ""
+  blocked_services:
+    schedule:
+      time_zone: America/New_York
+    ids: []
+  protection_disabled_until: null
+  safe_search:
+    enabled: false
+    bing: true
+    duckduckgo: true
+    ecosia: true
+    google: true
+    pixabay: true
+    yandex: true
+    youtube: true
+  blocking_mode: default
+  parental_block_host: family-block.dns.adguard.com
+  safebrowsing_block_host: standard-block.dns.adguard.com
+  rewrites: []
+  safe_fs_patterns:
+    - /opt/adguardhome/work/userfilters/*
+  safebrowsing_cache_size: 1048576
+  safesearch_cache_size: 1048576
+  parental_cache_size: 1048576
+  cache_time: 30
+  filters_update_interval: 24
+  blocked_response_ttl: 10
+  filtering_enabled: true
+  parental_enabled: false
+  safebrowsing_enabled: false
+  protection_enabled: true
+clients:
+  runtime_sources:
+    whois: true
+    arp: true
+    rdns: true
+    dhcp: true
+    hosts: true
+  persistent: []
+log:
+  enabled: true
+  file: ""
+  max_backups: 0
+  max_size: 100
+  max_age: 3
+  compress: false
+  local_time: false
+  verbose: false
+os:
+  group: ""
+  user: ""
+  rlimit_nofile: 0
+schema_version: 29

ansible/app-configs/signoz_common_clickhouse_cluster.ha.xml.j2

@@ -0,0 +1,75 @@
+<?xml version="1.0"?>
+<clickhouse>
+    <!-- ZooKeeper is used to store metadata about replicas, when using Replicated tables.
+         Optional. If you don't use replicated tables, you could omit that.
+
+         See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
+      -->
+    <zookeeper>
+        <node index="1">
+            <host>signoz-zookeeper-1</host>
+            <port>2181</port>
+        </node>
+        <node index="2">
+            <host>zookeeper-2</host>
+            <port>2181</port>
+        </node>
+        <node index="3">
+            <host>zookeeper-3</host>
+            <port>2181</port>
+        </node>
+    </zookeeper>
+
+    <!-- Configuration of clusters that could be used in Distributed tables.
+         https://clickhouse.com/docs/en/operations/table_engines/distributed/
+      -->
+    <remote_servers>
+        <cluster>
+            <!-- Inter-server per-cluster secret for Distributed queries
+                 default: no secret (no authentication will be performed)
+
+                 If set, then Distributed queries will be validated on shards, so at least:
+                 - such cluster should exist on the shard,
+                 - such cluster should have the same secret.
+
+                 And also (and which is more important), the initial_user will
+                 be used as current user for the query.
+
+                 Right now the protocol is pretty simple and it only takes into account:
+                 - cluster name
+                 - query
+
+                 Also it will be nice if the following will be implemented:
+                 - source hostname (see interserver_http_host), but then it will depends from DNS,
+                   it can use IP address instead, but then the you need to get correct on the initiator node.
+                 - target hostname / ip address (same notes as for source hostname)
+                 - time-based security tokens
+            -->
+            <!-- <secret></secret> -->
+            <shard>
+                <!-- Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas). -->
+                <!-- <internal_replication>false</internal_replication> -->
+                <!-- Optional. Shard weight when writing data. Default: 1. -->
+                <!-- <weight>1</weight> -->
+                <replica>
+                    <host>signoz-clickhouse</host>
+                    <port>9000</port>
+                    <!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
+                    <!-- <priority>1</priority> -->
+                </replica>
+            </shard>
+            <shard>
+                <replica>
+                    <host>clickhouse-2</host>
+                    <port>9000</port>
+                </replica>
+            </shard>
+            <shard>
+                <replica>
+                    <host>clickhouse-3</host>
+                    <port>9000</port>
+                </replica>
+            </shard>
+        </cluster>
+    </remote_servers>
+</clickhouse>

ansible/app-configs/signoz_common_clickhouse_cluster.xml.j2

@@ -0,0 +1,75 @@
+<?xml version="1.0"?>
+<clickhouse>
+    <!-- ZooKeeper is used to store metadata about replicas, when using Replicated tables.
+         Optional. If you don't use replicated tables, you could omit that.
+
+         See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
+      -->
+    <zookeeper>
+        <node index="1">
+            <host>signoz-zookeeper-1</host>
+            <port>2181</port>
+        </node>
+        <!-- <node index="2">
+            <host>zookeeper-2</host>
+            <port>2181</port>
+        </node>
+        <node index="3">
+            <host>zookeeper-3</host>
+            <port>2181</port>
+        </node> -->
+    </zookeeper>
+
+    <!-- Configuration of clusters that could be used in Distributed tables.
+         https://clickhouse.com/docs/en/operations/table_engines/distributed/
+      -->
+    <remote_servers>
+        <cluster>
+            <!-- Inter-server per-cluster secret for Distributed queries
+                 default: no secret (no authentication will be performed)
+
+                 If set, then Distributed queries will be validated on shards, so at least:
+                 - such cluster should exist on the shard,
+                 - such cluster should have the same secret.
+
+                 And also (and which is more important), the initial_user will
+                 be used as current user for the query.
+
+                 Right now the protocol is pretty simple and it only takes into account:
+                 - cluster name
+                 - query
+
+                 Also it will be nice if the following will be implemented:
+                 - source hostname (see interserver_http_host), but then it will depends from DNS,
+                   it can use IP address instead, but then the you need to get correct on the initiator node.
+                 - target hostname / ip address (same notes as for source hostname)
+                 - time-based security tokens
+            -->
+            <!-- <secret></secret> -->
+            <shard>
+                <!-- Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas). -->
+                <!-- <internal_replication>false</internal_replication> -->
+                <!-- Optional. Shard weight when writing data. Default: 1. -->
+                <!-- <weight>1</weight> -->
+                <replica>
+                    <host>signoz-clickhouse</host>
+                    <port>9000</port>
+                    <!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
+                    <!-- <priority>1</priority> -->
+                </replica>
+            </shard>
+            <!-- <shard>
+                <replica>
+                    <host>clickhouse-2</host>
+                    <port>9000</port>
+                </replica>
+            </shard>
+            <shard>
+                <replica>
+                    <host>clickhouse-3</host>
+                    <port>9000</port>
+                </replica>
+            </shard> -->
+        </cluster>
+    </remote_servers>
+</clickhouse>

ansible/app-configs/signoz_common_clickhouse_custom-function.xml.j2

@@ -0,0 +1,21 @@
+<functions>
+    <function>
+        <type>executable</type>
+        <name>histogramQuantile</name>
+        <return_type>Float64</return_type>
+        <argument>
+            <type>Array(Float64)</type>
+            <name>buckets</name>
+        </argument>
+        <argument>
+            <type>Array(Float64)</type>
+            <name>counts</name>
+        </argument>
+        <argument>
+            <type>Float64</type>
+            <name>quantile</name>
+        </argument>
+        <format>CSV</format>
+        <command>./histogramQuantile</command>
+    </function>
+</functions>

ansible/app-configs/signoz_common_clickhouse_storage.xml.j2

@@ -0,0 +1,41 @@
+<?xml version="1.0"?>
+<clickhouse>
+<storage_configuration>
+    <disks>
+        <default>
+            <keep_free_space_bytes>10485760</keep_free_space_bytes>
+        </default>
+        <s3>
+            <type>s3</type>
+            <!-- For S3 cold storage,
+                    if region is us-east-1, endpoint can be https://<bucket-name>.s3.amazonaws.com
+                    if region is not us-east-1, endpoint should be https://<bucket-name>.s3-<region>.amazonaws.com
+                For GCS cold storage,
+                    endpoint should be https://storage.googleapis.com/<bucket-name>/data/
+                -->
+            <endpoint>https://BUCKET-NAME.s3-REGION-NAME.amazonaws.com/data/</endpoint>
+            <access_key_id>ACCESS-KEY-ID</access_key_id>
+            <secret_access_key>SECRET-ACCESS-KEY</secret_access_key>
+            <!-- In case of S3, uncomment the below configuration in case you want to read
+                AWS credentials from the Environment variables if they exist. -->
+            <!-- <use_environment_credentials>true</use_environment_credentials> -->
+            <!-- In case of GCS, uncomment the below configuration, since GCS does
+                not support batch deletion and result in error messages in logs. -->
+            <!-- <support_batch_delete>false</support_batch_delete> -->
+        </s3>
+   </disks>
+   <policies>
+       <tiered>
+           <volumes>
+                <default>
+                    <disk>default</disk>
+                </default>
+                <s3>
+                    <disk>s3</disk>
+                    <perform_ttl_move_on_insert>0</perform_ttl_move_on_insert>
+                </s3>
+            </volumes>
+        </tiered>
+    </policies>
+</storage_configuration>
+</clickhouse>

ansible/app-configs/signoz_common_clickhouse_users.xml.j2

@@ -0,0 +1,123 @@
+<?xml version="1.0"?>
+<clickhouse>
+    <!-- See also the files in users.d directory where the settings can be overridden. -->
+
+    <!-- Profiles of settings. -->
+    <profiles>
+        <!-- Default settings. -->
+        <default>
+            <!-- Maximum memory usage for processing single query, in bytes. -->
+            <max_memory_usage>10000000000</max_memory_usage>
+
+            <!-- How to choose between replicas during distributed query processing.
+                 random - choose random replica from set of replicas with minimum number of errors
+                 nearest_hostname - from set of replicas with minimum number of errors, choose replica
+                  with minimum number of different symbols between replica's hostname and local hostname
+                  (Hamming distance).
+                 in_order - first live replica is chosen in specified order.
+                 first_or_random - if first replica one has higher number of errors, pick a random one from replicas with minimum number of errors.
+            -->
+            <load_balancing>random</load_balancing>
+        </default>
+
+        <!-- Profile that allows only read queries. -->
+        <readonly>
+            <readonly>1</readonly>
+        </readonly>
+    </profiles>
+
+    <!-- Users and ACL. -->
+    <users>
+        <!-- If user name was not specified, 'default' user is used. -->
+        <default>
+            <!-- See also the files in users.d directory where the password can be overridden.
+
+                 Password could be specified in plaintext or in SHA256 (in hex format).
+
+                 If you want to specify password in plaintext (not recommended), place it in 'password' element.
+                 Example: <password>qwerty</password>.
+                 Password could be empty.
+
+                 If you want to specify SHA256, place it in 'password_sha256_hex' element.
+                 Example: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
+                 Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).
+
+                 If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
+                 Example: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex>
+
+                 If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication,
+                  place its name in 'server' element inside 'ldap' element.
+                 Example: <ldap><server>my_ldap_server</server></ldap>
+
+                 If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config),
+                  place 'kerberos' element instead of 'password' (and similar) elements.
+                 The name part of the canonical principal name of the initiator must match the user name for authentication to succeed.
+                 You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests
+                  whose initiator's realm matches it.
+                 Example: <kerberos />
+                 Example: <kerberos><realm>EXAMPLE.COM</realm></kerberos>
+
+                 How to generate decent password:
+                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
+                 In first line will be password and in second - corresponding SHA256.
+
+                 How to generate double SHA1:
+                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
+                 In first line will be password and in second - corresponding double SHA1.
+            -->
+            <password></password>
+
+            <!-- List of networks with open access.
+
+                 To open access from everywhere, specify:
+                    <ip>::/0</ip>
+
+                 To open access only from localhost, specify:
+                    <ip>::1</ip>
+                    <ip>127.0.0.1</ip>
+
+                 Each element of list has one of the following forms:
+                 <ip> IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0
+                     2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::.
+                 <host> Hostname. Example: server01.clickhouse.com.
+                     To check access, DNS query is performed, and all received addresses compared to peer address.
+                 <host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.clickhouse\.com$
+                     To check access, DNS PTR query is performed for peer address and then regexp is applied.
+                     Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
+                     Strongly recommended that regexp is ends with $
+                 All results of DNS requests are cached till server restart.
+            -->
+            <networks>
+                <ip>::/0</ip>
+            </networks>
+
+            <!-- Settings profile for user. -->
+            <profile>default</profile>
+
+            <!-- Quota for user. -->
+            <quota>default</quota>
+
+            <!-- User can create other users and grant rights to them. -->
+            <!-- <access_management>1</access_management> -->
+        </default>
+    </users>
+
+    <!-- Quotas. -->
+    <quotas>
+        <!-- Name of quota. -->
+        <default>
+            <!-- Limits for time interval. You could specify many intervals with different limits. -->
+            <interval>
+                <!-- Length of interval. -->
+                <duration>3600</duration>
+
+                <!-- No limits. Just calculate resource usage for time interval. -->
+                <queries>0</queries>
+                <errors>0</errors>
+                <result_rows>0</result_rows>
+                <read_rows>0</read_rows>
+                <execution_time>0</execution_time>
+            </interval>
+        </default>
+    </quotas>
+</clickhouse>

ansible/app-configs/signoz_common_otel_otel-collector-opamp-config.yaml.j2

@@ -0,0 +1 @@
+server_endpoint: ws://signoz:4320/v1/opamp

ansible/app-configs/signoz_common_signoz_otel-collector-opamp-config.yaml.j2

@@ -0,0 +1 @@
+server_endpoint: ws://signoz:4320/v1/opamp

ansible/app-configs/signoz_common_signoz_prometheus.yml.j2

@@ -0,0 +1,25 @@
+# my global config
+global:
+  scrape_interval:     5s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
+  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
+  # scrape_timeout is set to the global default (10s).
+
+# Alertmanager configuration
+alerting:
+  alertmanagers:
+  - static_configs:
+    - targets:
+      - alertmanager:9093
+
+# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
+rule_files: []
+  # - "first_rules.yml"
+  # - "second_rules.yml"
+  # - 'alerts.yml'
+
+# A scrape configuration containing exactly one endpoint to scrape:
+# Here it's Prometheus itself.
+scrape_configs: []
+
+remote_read:
+  - url: tcp://clickhouse:9000/signoz_metrics

ansible/group_vars/all.yml

@@ -1,14 +1,14 @@
 vault_addr: "https://vault.trez.wtf"
 vault_token: !vault |
   $ANSIBLE_VAULT;1.1;AES256
-  39306238386563313462666238333237346239326636633731326263653639646235363937386333
+  62353532343234343230663331623062376533346166343963383464303535646362376233663361
-  6138653434613437643134653463363230303038373765380a636162663734393632396638313261
+  3532343530653365663331393339646337653564316337390a646264353561623132366635343032
-  39613730633935373063663030616131653731376461333762633131633066366165343536323031
+  63326535376434353837663334366336613631346161363034646134333439613531376362646161
-  3539373461383138310a383734313237313231363539383632323130336536656662313861336261
+  6438316662626566340a346665666234386630633764376336333063363934643162393565386330
-  65393033633461363837366462656134386430353236343136616161663364376261623834366466
+  35333139303939613232303264646236326637613862303339353334623066393966353032333839
-  30303765393039376666303937663839663630623063666135313636353432396161333434653435
+  33323962303635333335376364366336663035303530396262356130373537363134303937353433
-  32623634313531343466613966663139333234616137646636636134373264333263343533393331
+  34393338336666396338616465666466613931373461663761366235643437646136373039353939
-  32313530373164653730656662383837626139643364376134376634613237323063343731663734
+  33643133313264303637646336653537383337336661313765663366356262343064316334313337
-  36306335303936633334353564306239663563366435316464343039373965383032
+  35306232303132653566356130343366313139336665313737363732613261623439
 vault_token_cleaned: "{{ vault_token | regex_replace('\\n', '') }}"
 secrets_path: "rinoa-docker/env"

docker-compose.yml

@@ -1,13 +1,5 @@
 name: compose
 networks:
-  bitmagnet:
-    driver: bridge
-    ipam:
-      config:
-        - gateway: 192.168.55.1
-          subnet: 192.168.55.0/27
-      driver: default
-    name: compose_bitmagnet
   default:
     name: compose_default
   nextcloud-aio:
@@ -21,65 +13,6 @@ x-app-common: &jitsi_admin_app
     PHP_INI_MEMORY_LIMIT: "1G"
     PHP_EXTENSION_LDAP: 1
     PHP_EXTENSION_INTL: 1
-x-shared:
-  zammad-service: &zammad-service
-    environment: &zammad-environment
-      MEMCACHE_SERVERS: ${ZAMMAD_MEMCACHE_SERVERS:-zammad-memcached:11211}
-      POSTGRESQL_DB: ${ZAMMAD_POSTGRES_DB:-zammad_production}
-      POSTGRESQL_HOST: ${ZAMMAD_POSTGRES_HOST:-zammad-postgresql}
-      POSTGRESQL_USER: ${ZAMMAD_POSTGRES_USER:-zammad}
-      POSTGRESQL_PASS: ${ZAMMAD_POSTGRES_PASS:-zammad}
-      POSTGRESQL_PORT: ${ZAMMAD_POSTGRES_PORT:-5432}
-      POSTGRESQL_OPTIONS: ${ZAMMAD_POSTGRESQL_OPTIONS:-?pool=50}
-      POSTGRESQL_DB_CREATE:
-      REDIS_URL: ${ZAMMAD_REDIS_URL:-redis://zammad-redis:6379}
-      S3_URL: http://${ZAMMAD_S3_ACCESS_KEY}:${ZAMMAD_S3_SECRET_KEY}@minio:9000/zammad-storage-bucket?region=us-east-fh-pln&force_path_style=true
-      # Backup settings
-      BACKUP_DIR: "${BACKUP_DIR:-/var/tmp/zammad}"
-      BACKUP_TIME: "${BACKUP_TIME:-03:00}"
-      HOLD_DAYS: "${HOLD_DAYS:-7}"
-      TZ: "${TZ:-Europe/Berlin}"
-      # Allow passing in these variables via .env:
-      AUTOWIZARD_JSON:
-      AUTOWIZARD_RELATIVE_PATH:
-      ELASTICSEARCH_ENABLED: false
-      ELASTICSEARCH_SCHEMA:
-      ELASTICSEARCH_HOST:
-      ELASTICSEARCH_PORT:
-      ELASTICSEARCH_USER: ${ELASTICSEARCH_USER:-elastic}
-      ELASTICSEARCH_PASS: ${ELASTICSEARCH_PASS:-zammad}
-      ELASTICSEARCH_NAMESPACE:
-      ELASTICSEARCH_REINDEX:
-      NGINX_PORT:
-      NGINX_EXPOSE_PORT: 15257
-      NGINX_CLIENT_MAX_BODY_SIZE:
-      NGINX_SERVER_NAME:
-      NGINX_SERVER_SCHEME:
-      RAILS_TRUSTED_PROXIES: 172.18.0.0/16
-      ZAMMAD_HTTP_TYPE:
-      ZAMMAD_FQDN:
-      ZAMMAD_WEB_CONCURRENCY:
-      ZAMMAD_PROCESS_SESSIONS_JOBS_WORKERS:
-      ZAMMAD_PROCESS_SCHEDULED_JOBS_WORKERS:
-      ZAMMAD_PROCESS_DELAYED_JOBS_WORKERS:
-      # ZAMMAD_SESSION_JOBS_CONCURRENT is deprecated, please use ZAMMAD_PROCESS_SESSIONS_JOBS_WORKERS instead.
-      ZAMMAD_SESSION_JOBS_CONCURRENT:
-      # Variables used by ngingx-proxy container for reverse proxy creations
-      # for docs refer to https://github.com/nginx-proxy/nginx-proxy
-      VIRTUAL_HOST:
-      VIRTUAL_PORT:
-      # Variables used by acme-companion for retrieval of LetsEncrypt certificate
-      # for docs refer to https://github.com/nginx-proxy/acme-companion
-      LETSENCRYPT_HOST:
-      LETSENCRYPT_EMAIL:
-    image: ${IMAGE_REPO:-ghcr.io/zammad/zammad}:${VERSION:-6.5.0-15}
-    restart: ${RESTART:-always}
-    volumes:
-      - zammad-storage:/opt/zammad/storage
-    depends_on:
-      - zammad-memcached
-      - zammad-postgresql
-      - zammad-redis
 x-maxun: &maxun-env
   environment:
     NODE_ENV: production
@@ -101,15 +34,74 @@ x-maxun: &maxun-env
     BACKEND_PORT: 8080
     FRONTEND_PORT: 5173
     BACKEND_URL: http://maxun-backend:8080
-    PUBLIC_URL: http://maxun-frontend:5173
+    PUBLIC_URL: https://scrape.trez.wtf
     VITE_BACKEND_URL: http://maxun-backend:8080
-    VITE_PUBLIC_URL: http://maxun-frontend:5173
+    VITE_PUBLIC_URL: https://scrape.trez.wtf
     MAXUN_TELEMETRY: true
     PLAYWRIGHT_BROWSERS_PATH: /ms-playwright
     PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 0
     CHROMIUM_FLAGS: '--disable-gpu --no-sandbox --headless=new'
     #DEBUG: pw:api
     #PWDEBUG: 1
+x-signoz-common: &signoz-common
+  # networks:
+  #   - signoz-net
+  restart: unless-stopped
+  # logging:
+  #   options:
+  #     max-size: 50m
+  #     max-file: "3"
+x-signoz-clickhouse-defaults: &signoz-clickhouse-defaults
+  <<: *signoz-common
+  # addding non LTS version due to this fix https://github.com/ClickHouse/ClickHouse/commit/32caf8716352f45c1b617274c7508c86b7d1afab
+  image: clickhouse/clickhouse-server:24.1.2-alpine
+  tty: true
+  labels:
+    signoz.io/scrape: "true"
+    signoz.io/port: "9363"
+    signoz.io/path: "/metrics"
+  depends_on:
+    signoz-init-clickhouse:
+      condition: service_completed_successfully
+    signoz-zookeeper-1:
+      condition: service_healthy
+  healthcheck:
+    test:
+      - CMD
+      - wget
+      - --spider
+      - -q
+      - 0.0.0.0:8123/ping
+    interval: 30s
+    timeout: 5s
+    retries: 3
+  ulimits:
+    nproc: 65535
+    nofile:
+      soft: 262144
+      hard: 262144
+x-signoz-zookeeper-defaults: &signoz-zookeeper-defaults
+  <<: *signoz-common
+  image: bitnami/zookeeper:3.7.1
+  user: root
+  labels:
+    signoz.io/scrape: "true"
+    signoz.io/port: "9141"
+    signoz.io/path: "/metrics"
+  healthcheck:
+    test:
+      - CMD-SHELL
+      - curl -s -m 2 http://localhost:8080/commands/ruok | grep error | grep null
+    interval: 30s
+    timeout: 5s
+    retries: 3
+x-signoz-db-depend: &signoz-db-depend
+  <<: *signoz-common
+  depends_on:
+    signoz-clickhouse:
+      condition: service_healthy
+    signoz-schema-migrator-sync:
+      condition: service_completed_successfully
 services:
   actual_server:
     container_name: actualbudget
@@ -138,6 +130,9 @@ services:
     volumes:
       - ${DOCKER_VOLUME_CONFIG}/actual-budget:/data
   adguard:
+    cap_add:
+      - NET_BIND_SERVICE
+      - NET_RAW
     container_name: adguard
     environment:
       TZ: ${TZ}
@@ -145,6 +140,8 @@ services:
     labels:
       swag: enable
       swag_proto: http
+      swag_port: 8008
+      swag_address: 192.168.1.254
       swag_url: adgh.${MY_TLD}
       homepage.group: System Administration
       homepage.name: AdGuard Home
@@ -152,18 +149,19 @@ services:
       homepage.href: https://adgh.${MY_TLD}
       homepage.description: Ad-blocking/DNS
       homepage.widget.type: adguard
-      homepage.widget.url: http://adguard:80
+      homepage.widget.url: http://192.168.1.254:8008
       homepage.widget.username: admin
       homepage.widget.password: ${ADGUARD_PASSWORD}
-    ports:
+    network_mode: host
-      - "192.168.1.254:53:53/udp"
+    # ports:
-      - "192.168.1.254:53:53/tcp"
+    #   - "192.168.1.254:53:53/udp"
-      - 3001:3000
+    #   - "192.168.1.254:53:53/tcp"
-      - "192.168.1.254:446:443/tcp"
+    #   - 3001:3000
-      - 8008:80
+    #   - "192.168.1.254:446:443/tcp"
-      - "192.168.1.254:853:853/tcp"
+    #   - 8008:80
-      - 67:67
+    #   - "192.168.1.254:853:853/tcp"
-      - 688:68
+    #   - 67:67
+    #   - 688:68
     restart: unless-stopped
     user: 1000:1000
     volumes:
@@ -1041,6 +1039,61 @@ services:
         source: /var/run/docker.sock
         target: /var/run/docker.sock
         type: bind
+  dockflare:
+    container_name: dockflare
+    environment:
+      AGENT_STATUS_UPDATE_INTERVAL_SECONDS: 10
+      CF_ACCOUNT_ID: ${CLOUDFLARE_ACCOUNT_ID}
+      CF_API_TOKEN: ${CLOUDFLAREDDNS_ENVIRONMENT_APITOKEN}
+      CF_ZONE_ID: ${CLOUDFLARE_ZONE_ID}
+      CLEANUP_INTERVAL_SECONDS: 300
+      CLOUDFLARED_NETWORK_NAME: compose_default
+      DEFAULT_NO_TLS_VERIFY: false
+      GRACE_PERIOD_SECONDS: 600
+      LABEL_PREFIX: cloudflare.tunnel
+      MAX_CONCURRENT_DNS_OPS: 3
+      RECONCILIATION_BATCH_SIZE: 3
+      SCAN_ALL_NETWORKS: false
+      STATE_FILE_PATH: /app/data/state.json
+      TRUSTED_PROXIES: 192.168.1.0/24,172.18.0.0/16
+      TUNNEL_DNS_SCAN_ZONE_NAMES:
+      TUNNEL_NAME: dockflared-tunnel
+      TZ: ${TZ}
+    image: alplat/dockflare:stable # Or :unstable for the latest features
+    labels:
+      homepage.group: Privacy/Security
+      homepage.name: DockFlare
+      homepage.href: https://cftunn.${MY_TLD}
+      homepage.icon: /icons/dockflare.png
+      homepage.description: Cloudflare Tunnel controller
+      swag: enable
+      swag_proto: http
+      swag_url: cftunn.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://cftunn.${MY_TLD}
+      swag.uptime-kuma.monitor.interval: 300
+      ### EXAMPLE CF TUNNEL LABELS ###
+      # Enable DockFlare management for this container
+      # - "cloudflare.tunnel.enable=true" 
+      # The public hostname to expose
+      # - "cloudflare.tunnel.hostname=my-service.example.com"
+      # The internal service address (protocol://container_name_or_ip:port)
+      # Service type (http, https, tcp, ssh, rdp, http_status) is inferred from the prefix.
+      # - "cloudflare.tunnel.service=http://my-service:80" 
+      # Optional: Specify a URL path. Only requests to hostname/path will match.
+      # - "cloudflare.tunnel.path=/app"
+      # Optional: Specify a different Cloudflare Zone for this hostname
+      # - "cloudflare.tunnel.zonename=another.example.com"
+      # Optional: Disable TLS verification if your internal service uses HTTP or a self-signed cert
+      # - "cloudflare.tunnel.no_tls_verify=true"
+      # Optional: Specify Origin Server Name (SNI) for TLS connection to origin
+      # - "cloudflare.tunnel.originsrvname=internal.service.local"
+    ports:
+      - 20756:5000
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - dockflare_data:/app/data
   duplicati:
     container_name: duplicati
     environment:
@@ -1204,6 +1257,54 @@ services:
         source: /rinoa-storage
         target: /storage
         type: bind
+  freescout:
+    container_name: freescout
+    depends_on:
+      mariadb:
+        condition: service_started
+        required: true
+    environment:
+      ADMIN_EMAIL: it-services@${MY_TLD}
+      ADMIN_FIRST_NAME: Treasured
+      ADMIN_LAST_NAME: IT
+      ADMIN_PASS: ${FREESCOUT_ADMIN_PASS}
+      APP_TRUSTED_PROXIES: 172.18.0.0/16,192.168.1.0/24
+      DB_TYPE: mysql
+      DB_HOST: mariadb
+      DB_PORT: 3306
+      DB_NAME: freescout
+      DB_USER: freescout
+      DB_PASS: ${FREESCOUT_DB_PASS}
+      DB_SSL: FALSE
+      DISPLAY_ERRORS: TRUE
+      ENABLE_AUTO_UPDATE: TRUE
+      SETUP_TYPE: AUTO
+      SITE_URL: https://support.${MY_TLD}
+      SKIP_STORAGE_PERMISSIONS: FALSE
+      TIMEZONE: ${TZ}
+    image: tiredofit/freescout:latest
+    labels:
+      homepage.group: Personal/Professional Services
+      homepage.name: FreeScout
+      homepage.icon: sh-freescout.svg
+      homepage.href: https://support.${MY_TLD}
+      homepage.description: Lightweight help desk and shared inbox
+      swag: enable
+      swag_proto: http
+      swag_port: 80
+      swag_url: support.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://support.${MY_TLD}
+      swag.uptime-kuma.monitor.interval: 300
+    ports:
+      - 59095:80
+    restart: unless-stopped
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/freescout/assets/modules:/assets/modules
+      - ${DOCKER_VOLUME_CONFIG}/freescout/assets/custom:/assets/custom
+      - ${DOCKER_VOLUME_CONFIG}/freescout/assets/custom-scripts:/assets/custom-scripts
+      - ${DOCKER_VOLUME_CONFIG}/freescout/data:/www/html
+      - ${DOCKER_VOLUME_CONFIG}/freescout/logs/:/www/logs
   ghost:
     container_name: ghost_blog
     depends_on:
@@ -1336,7 +1437,7 @@ services:
     environment:
       CONFIG_FILE: /config.yaml
       DOCKER_HOST: tcp://dockerproxy:2375
-      GITEA_INSTANCE_URL: https://git.trez.wtf
+      GITEA_INSTANCE_URL: http://gitea:3000
       GITEA_RUNNER_REGISTRATION_TOKEN: "${GITEA_RUNNER_REGISTRATION_TOKEN}"
       GITEA_RUNNER_NAME: "gitea-runner-1"
     image: gitea/act_runner:latest
@@ -1373,13 +1474,7 @@ services:
       VPN_SERVICE_PROVIDER: private internet access
     expose:
       - 8000
-    extra_hosts:
-      - bitmagnet-pg-db:192.168.55.8
     image: qmcgaw/gluetun:latest
-    networks:
-      bitmagnet:
-        ipv4_address: 192.168.55.7
-      default: null
     ports:
       - 3333:3333
       - 3334:3334
@@ -1633,7 +1728,7 @@ services:
       swag_proto: http
       swag_port: 2283
       swag_url: pics.${MY_TLD}
-
+      swag_server_custom_directive:
         location /share {
               proxy_pass http://immich-public-proxy:3000;
         }
@@ -2691,6 +2786,8 @@ services:
     container_name: librechat-rag-api
     depends_on:
       - librechat-vectordb
+    # env_file:
+    #   - ${DOCKER_VOLUME_CONFIG}/librechat/librechat.env
     environment:
       DB_HOST: librechat-vectordb
       OPENAI_API_KEY: ${LIBRECHAT_OPENAI_API_KEY}
@@ -2703,8 +2800,6 @@ services:
       RAG_PORT: 8000
     image: ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest
     restart: always
-    # env_file:
-    #   - ${DOCKER_VOLUME_CONFIG}/librechat/librechat.env
   libretranslate:
     container_name: libretranslate
     # command: --ssl --ga-id MY-GA-ID --req-limit 100 --char-limit 500
@@ -3119,7 +3214,7 @@ services:
     restart: unless-stopped
   maxun-pg-db:
     container_name: maxun-pg-db
-    image: postgres:17-alpine
+    image: postgres:13-alpine
     environment:
       POSTGRES_USER: maxun
       POSTGRES_PASSWORD: ${MAXUN_DB_PASSWORD}
@@ -3127,7 +3222,7 @@ services:
     expose:
       - 5432
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      test: ["CMD-SHELL", "pg_isready -U maxun"]
       interval: 10s
       timeout: 5s
       retries: 5
@@ -4441,6 +4536,145 @@ services:
       - semaphore_config:/etc/semaphore
       - semaphore_data:/var/lib/semaphore
       - semaphore_tmp:/tmp/semaphore
+  signoz-init-clickhouse:
+    <<: *signoz-common
+    container_name: signoz-init-clickhouse
+    command:
+      - bash
+      - -c
+      - |
+        version="v0.0.1"
+        node_os=$$(uname -s | tr '[:upper:]' '[:lower:]')
+        node_arch=$$(uname -m | sed s/aarch64/arm64/ | sed s/x86_64/amd64/)
+        echo "Fetching histogram-binary for $${node_os}/$${node_arch}"
+        cd /tmp
+        wget -O histogram-quantile.tar.gz "https://github.com/SigNoz/signoz/releases/download/histogram-quantile%2F$${version}/histogram-quantile_$${node_os}_$${node_arch}.tar.gz"
+        tar -xvzf histogram-quantile.tar.gz
+        mv histogram-quantile /var/lib/clickhouse/user_scripts/histogramQuantile
+    image: clickhouse/clickhouse-server:24.1.2-alpine
+    restart: on-failure
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/clickhouse/user_scripts/:/var/lib/clickhouse/user_scripts/
+  signoz-zookeeper-1:
+    <<: *signoz-zookeeper-defaults
+    container_name: signoz-zookeeper-1
+    environment:
+      ZOO_SERVER_ID: 1
+      ALLOW_ANONYMOUS_LOGIN: yes
+      ZOO_AUTOPURGE_INTERVAL: 1
+      ZOO_ENABLE_PROMETHEUS_METRICS: yes
+      ZOO_PROMETHEUS_METRICS_PORT_NUMBER: 9141
+    # ports:
+    #   - "2181:2181"
+    #   - "2888:2888"
+    #   - "3888:3888"
+    volumes:
+      - signoz-zookeeper-1:/bitnami/zookeeper
+  signoz-clickhouse:
+    <<: *signoz-clickhouse-defaults
+    container_name: signoz-clickhouse
+    expose:
+      - 9000
+    ports:
+    #   - "9000:9000"
+      - "8123:8123"
+      - "9181:9181"
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/clickhouse/config.xml:/etc/clickhouse-server/config.xml
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/clickhouse/users.xml:/etc/clickhouse-server/users.xml
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/clickhouse/custom-function.xml:/etc/clickhouse-server/custom-function.xml
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/clickhouse/user_scripts:/var/lib/clickhouse/user_scripts/
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/clickhouse/cluster.xml:/etc/clickhouse-server/config.d/cluster.xml
+      - signoz-clickhouse:/var/lib/clickhouse/
+      # - ${DOCKER_VOLUME_CONFIG}/signoz/common/clickhouse/storage.xml:/etc/clickhouse-server/config.d/storage.xml
+  signoz-app:
+    <<: *signoz-db-depend
+    container_name: signoz-app
+    command:
+      - --config=/root/config/prometheus.yml
+    environment:
+       SIGNOZ_ALERTMANAGER_PROVIDER: signoz
+       SIGNOZ_TELEMETRYSTORE_CLICKHOUSE_DSN: tcp://signoz-clickhouse:9000
+       SIGNOZ_SQLSTORE_SQLITE_PATH: /var/lib/signoz/signoz.db
+       DASHBOARDS_PATH: /root/config/dashboards
+       STORAGE: clickhouse
+       GODEBUG: netdns=go
+       TELEMETRY_ENABLED: true
+       DEPLOYMENT_TYPE: docker-standalone-amd
+    healthcheck:
+      test:
+        - CMD
+        - wget
+        - --spider
+        - -q
+        - localhost:8080/api/v1/health
+      interval: 30s
+      timeout: 5s
+      retries: 3
+    image: signoz/signoz:${VERSION:-v0.86.2}
+    labels:
+      homepage.group: Infrastructure/App Performance Monitoring
+      homepage.name: Signoz
+      homepage.href: https://apm.${MY_TLD}
+      homepage.icon: signoz.svg
+      homepage.description: Logs, metrics, and traces in a single pane
+      swag: enable
+      swag_proto: http
+      swag_port: 8080
+      swag_url: apm.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://apm.${MY_TLD}
+      swag.uptime-kuma.monitor.interval: 300
+    ports:
+      - 36113:8080 # signoz port
+      # - "6060:6060"     # pprof port
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/prometheus.yml:/root/config/prometheus.yml
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/dashboards:/root/config/dashboards
+      - signoz-sqlite:/var/lib/signoz/
+  signoz-otel-collector:
+    <<: *signoz-db-depend
+    container_name: signoz-otel-collector
+    command:
+      - --config=/etc/otel-collector-config.yaml
+      - --manager-config=/etc/manager-config.yaml
+      - --copy-path=/var/tmp/collector-config.yaml
+      - --feature-gates=-pkg.translator.prometheus.NormalizeName
+    depends_on:
+      signoz-app:
+        condition: service_healthy
+    environment:
+      OTEL_RESOURCE_ATTRIBUTES: host.name=signoz-host,os.type=linux
+      LOW_CARDINAL_EXCEPTION_GROUPING: false
+    image: signoz/signoz-otel-collector:${OTELCOL_TAG:-v0.111.42}
+    ports:
+      # - "1777:1777"     # pprof extension
+      - "4317:4317" # OTLP gRPC receiver
+      - "4318:4318" # OTLP HTTP receiver
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/otel/otel-collector-config.yaml:/etc/otel-collector-config.yaml
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/otel/otel-collector-opamp-config.yaml:/etc/manager-config.yaml
+  signoz-schema-migrator-sync:
+    <<: *signoz-common
+    image: signoz/signoz-schema-migrator:${OTELCOL_TAG:-v0.111.42}
+    container_name: schema-migrator-sync
+    command:
+      - sync
+      - --dsn=tcp://signoz-clickhouse:9000
+      - --up=
+    depends_on:
+      signoz-clickhouse:
+        condition: service_healthy
+    restart: on-failure
+  signoz-schema-migrator-async:
+    <<: *signoz-db-depend
+    image: signoz/signoz-schema-migrator:${OTELCOL_TAG:-v0.111.42}
+    container_name: schema-migrator-async
+    command:
+      - async
+      - --dsn=tcp://signoz-clickhouse:9000
+      - --up=
+    restart: on-failure
   sonarqube:
     container_name: sonarqube
     depends_on:
@@ -5071,12 +5305,6 @@ services:
       swag_proto: http
       swag_url: scan.${MY_TLD}
       swag_port: 3000
-      swag_server_custom_directive: |
-        include /config/nginx/sablier-server.conf;
-
-        location / {
-              proxy_pass http://immich-public-proxy:3000;
-        }
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://scan.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -5231,95 +5459,6 @@ services:
         source: /rinoa-storage
         target: /storage
         type: bind
-  zammad-backup:
-    <<: *zammad-service
-    container_name: zammad-backup
-    command: ["zammad-backup"]
-    volumes:
-      - zammad-backup:/var/tmp/zammad
-      - zammad-storage:/opt/zammad/storage:ro
-    user: 0:0
-  zammad-elasticsearch:
-    container_name: zammad-elasticsearch
-    image: bitnami/elasticsearch:${ELASTICSEARCH_VERSION:-8.17.4}
-    restart: ${RESTART:-always}
-    profiles:
-      - do-not-start
-    volumes:
-      - zammad-elasticsearch-data:/bitnami/elasticsearch/data
-    environment:
-      # Enable authorization without HTTPS. For external access with
-      #   SSL termination, use solutions like nginx-proxy-manager.
-      ELASTICSEARCH_ENABLE_SECURITY: 'true'
-      ELASTICSEARCH_SKIP_TRANSPORT_TLS: 'true'
-      ELASTICSEARCH_ENABLE_REST_TLS: 'false'
-      # ELASTICSEARCH_USER is hardcoded to 'elastic' in the container.
-      ELASTICSEARCH_PASSWORD: ${ELASTICSEARCH_PASS:-zammad}
-  zammad-init:
-    <<: *zammad-service
-    container_name: zammad-init
-    command: ["zammad-init"]
-    depends_on:
-      - zammad-postgresql
-    restart: on-failure
-    user: 0:0
-  zammad-memcached:
-    container_name: zammad-memcached
-    command: memcached -m 256M
-    image: memcached:${MEMCACHE_VERSION:-1.6.38-alpine}
-    restart: ${RESTART:-always}
-  zammad-nginx:
-    <<: *zammad-service
-    container_name: zammad-nginx
-    command: ["zammad-nginx"]
-    expose:
-      - 8080
-    ports:
-      - 15257:8080
-    labels:
-      swag: enable
-      swag_proto: http
-      swag_port: 8080
-      swag_url: support.${MY_TLD}
-      swag.uptime-kuma.enabled: true
-      swag.uptime-kuma.monitor.url: https://support.${MY_TLD}
-      homepage.group: Personal/Professional Services
-      homepage.name: Zammad
-      homepage.href: https://support.${MY_TLD}
-      homepage.icon: zammad.svg
-      homepage.description: Open-source helpdesk/customer support system
-    depends_on:
-      - zammad-railsserver
-  zammad-postgresql:
-    container_name: zammad-postgresql
-    environment:
-      POSTGRES_DB: ${ZAMMAD_POSTGRES_DB:-zammad_production}
-      POSTGRES_USER: ${ZAMMAD_POSTGRES_USER:-zammad}
-      POSTGRES_PASSWORD: ${ZAMMAD_POSTGRES_PASS:-zammad}
-    image: postgres:${ZAMMAD_POSTGRES_VERSION:-17.4-alpine}
-    restart: ${RESTART:-always}
-    volumes:
-      - zammad-postgresql-data:/var/lib/postgresql/data
-  zammad-railsserver:
-    <<: *zammad-service
-    container_name: zammad-railsserver
-    command: ["zammad-railsserver"]
-    expose:
-      - 3000
-  zammad-redis:
-    container_name: zammad-redis
-    image: redis:${REDIS_VERSION:-7.4.2-alpine}
-    restart: ${RESTART:-always}
-    volumes:
-      - zammad-redis-data:/data
-  zammad-scheduler:
-    <<: *zammad-service
-    container_name: zammad-scheduler
-    command: ["zammad-scheduler"]
-  zammad-websocket:
-    <<: *zammad-service
-    container_name: zammad-websocket
-    command: ["zammad-websocket"]
 volumes:
   authelia-pg-db:
     name: authelia-pg-db
@@ -5337,6 +5476,8 @@ volumes:
     name: dawarich_public
   dawarich_watched:
     name: dawarich_watched
+  dockflare_data:
+    name: dockflare_data
   fastenhealth-cache:
     name: fastenhealth-cache
   fastenhealth-db:
@@ -5347,18 +5488,6 @@ volumes:
     name: graylog-data
   graylog-datanode:
     name: graylog-datanode
-  hortusfox_app_backup:
-    name: hortusfox_app_backup
-  hortusfox_app_images:
-    name: hortusfox_app_images
-  hortusfox_app_logs:
-    name: hortusfox_app_logs
-  hortusfox_app_migrate:
-    name: hortusfox_app_migrate
-  hortusfox_app_themes:
-    name: hortusfox_app_themes
-  hortusfox_db_data:
-    name: hortusfox_db_data
   immich-model-cache:
     name: immich-model-cache
   influxdb2-data:
@@ -5401,12 +5530,6 @@ volumes:
     name: mongodb_data
   n8n-data:
     name: n8n-data
-  netbird-mgmt:
-    name: netbird-mgmt
-  netbird-signal:
-    name: netbird-signal
-  netbird-letsencrypt:
-    name: netbird-letsencrypt
   nextcloud_aio_mastercontainer:
     name: nextcloud_aio_mastercontainer
   ollama:
@@ -5433,6 +5556,12 @@ volumes:
     name: semaphore_data
   semaphore_tmp:
     name: semaphore_tmp
+  signoz-clickhouse:
+    name: signoz-clickhouse
+  signoz-sqlite:
+    name: signoz-sqlite
+  signoz-zookeeper-1:
+    name: signoz-zookeeper-1
   sonarqube-data:
     name: sonarqube-data
   sonarqube-db:
@@ -5452,14 +5581,4 @@ volumes:
   wallos-db:
     name: wallos-db
   wallos-logos:
-    name: wallos-logos
+    name: wallos-logos
-  zammad-backup:
-    name: zammad-backup
-  zammad-storage:
-    name: zammad-storage
-  zammad-elasticsearch-data:
-    name: zammad-elasticsearch-data
-  zammad-postgresql-data:
-    name: zammad-postgresql-data
-  zammad-redis-data:
-    name: zammad-redis-data