chore: Update README

Merged by Trez.One

.gitea/workflows/pr-ansible-config-deployment.yaml

@@ -1,5 +1,6 @@
 name: Gitea Branch PR & Ansible Deployment
 on:
+  workflow_dispatch:
   push:
     branches-ignore:
       - 'main'
@@ -48,7 +49,7 @@ jobs:
           tea login default gitea-rinoa
           pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
           pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose, Ansible Configs.j2"
+          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Ansible Configs.j2"
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:
@@ -139,8 +140,8 @@ jobs:
           gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
           notification_title: 'GITEA: PR Merge Successful'
           notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
-  ansible-config-docker-compose-deploy:
-    name: Ansible Configs & Docker Compose Deployment
+  ansible-config-deploy:
+    name: Ansible Config Deployment
     runs-on: ubuntu-latest
     needs: [pr-merge]
     env:
@@ -173,7 +174,7 @@ jobs:
           gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
           notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
           notification_message: 'Starting config deployment with Ansible...'
-      - name: Ansible Playbook Dry Run
+      - name: Ansible Playbook Config Deploy
         uses: arillso/action.playbook@0.1.0
         with:
           check: false

.gitea/workflows/pr-cloudflare-docker-deploy.yml

@@ -1,5 +1,6 @@
 name: Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment
 on:
+  workflow_dispatch:
   push:
     branches-ignore:
       - 'main'
@@ -49,7 +50,7 @@ jobs:
           tea login default gitea-rinoa
           pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
           pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose, Ansible Configs.j2"
+          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose"
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:
@@ -65,6 +66,7 @@ jobs:
       VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
       VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
       VAULT_NAMESPACE: ""
+      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
     outputs:
       svc_deploy_list: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
     steps:
@@ -75,7 +77,7 @@ jobs:
           git fetch origin ${{ github.event.pull_request.base.ref }}
       - name: Login to Gitea Container Registry
         run: |
-          docker login -u gitea-sonarqube-bot -p ${{ secrets.BOT_GITEA_PASSWORD }} git.trez.wtf
+          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
       - name: Save both versions of docker-compose.yml
         run: |
           git show origin/main:docker-compose.yml > docker-compose-main.yml || touch docker-compose-main.yml
@@ -134,14 +136,17 @@ jobs:
       - name: Docker Compose Dry Run
         timeout-minutes: 360
         continue-on-error: true
-        uses: keatonLiu/docker-compose-remote-action@v1.2
+        uses: chaplyk/docker-compose-remote-action@v1.1
         with:
-          docker_compose_file: docker-compose.yml
-          docker_args: -d --remove-orphans --pull missing ${{ steps.modded_svcs.outputs.rinoa_svcs }}
-          ssh_user: gitea-deploy
           ssh_host: 192.168.1.254
-          ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
-          ssh_private_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
+          ssh_port: 22
+          ssh_user: gitea-deploy
+          ssh_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
+          service: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
+          compose_file: docker-compose.yml
+          pull: false
+          build: false
+          options: -d --remove-orphans
         env:
           DOCKER_HOST: tcp://dockerproxy:2375
       - name: Gotify Notification
@@ -294,11 +299,13 @@ jobs:
   docker-compose-deploy:
     name: Docker Compose Deployment
     runs-on: ubuntu-latest
-    needs: [pr-merge]
+    needs: [docker-compose-dry-run, pr-merge]
     env:
       VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
       VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
       DOCKER_HOST: tcp://dockerproxy:2375
+      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
+      DOCKER_SVC_LIST: ${{ needs.docker-compose-dry-run.outputs.svc_deploy_list }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -318,7 +325,7 @@ jobs:
         uses: cpanato/vault-installer@main
       - name: Login to Gitea Container Registry
         run: |
-          docker login -u gitea-sonarqube-bot -p ${{ secrets.BOT_GITEA_PASSWORD }} git.trez.wtf
+          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:
@@ -329,17 +336,22 @@ jobs:
       - name: Generate .env file for deployment
         run: |
            vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
-      - name: Docker Compose Deployment
+      - name: Docker Compose Dry Run
         timeout-minutes: 360
         continue-on-error: true
-        uses: keatonLiu/docker-compose-remote-action@v1.2
+        uses: chaplyk/docker-compose-remote-action@v1.1
+        env:
+          DOCKER_HOST: tcp://dockerproxy:2375
         with:
-          docker_compose_file: docker-compose.yml
-          docker_args: -d --remove-orphans --pull missing ${{ docker-compose-dry-run.outputs.svc_deploy_list }}
-          ssh_user: gitea-deploy
           ssh_host: 192.168.1.254
-          ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
-          ssh_private_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
+          ssh_port: 22
+          ssh_user: gitea-deploy
+          ssh_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
+          service: ${DOCKER_SVC_LIST}
+          compose_file: docker-compose.yml
+          pull: false
+          build: false
+          options: -d --remove-orphans
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:

README.md

@@ -31,6 +31,7 @@
 | dawarich-sidekiq | freikin/dawarich:latest |
 | dead-man-hand | ghcr.io/bkupidura/dead-man-hand:latest |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
+| dockflare | alplat/dockflare:stable |
 | duplicati | lscr.io/linuxserver/duplicati:latest |
 | excalidraw | excalidraw/excalidraw:latest |
 | explo | ghcr.io/lumepart/explo:latest |
@@ -38,7 +39,7 @@
 | flaresolverr | ghcr.io/flaresolverr/flaresolverr:latest |
 | freescout | tiredofit/freescout:latest |
 | ghost | ghost:latest |
-| gitea | gitea/gitea:1.23.1 |
+| gitea | gitea/gitea:1.24.0 |
 | gitea-db | postgres:14 |
 | gitea-runner | gitea/act_runner:latest |
 | gitea-sonarqube-bot | justusbunsi/gitea-sonarqube-bot:v0.4.0 |
@@ -129,6 +130,13 @@
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
 | searxng | searxng/searxng:latest |
 | semaphore | semaphoreui/semaphore:v2.12.14 |
+| signoz-init-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
+| signoz-zookeeper-1 | bitnami/zookeeper:3.7.1 |
+| signoz-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
+| signoz-app | signoz/signoz:v0.86.2 |
+| signoz-otel-collector | signoz/signoz-otel-collector:v0.111.42 |
+| signoz-schema-migrator-sync | signoz/signoz-schema-migrator:v0.111.42 |
+| signoz-schema-migrator-async | signoz/signoz-schema-migrator:v0.111.42 |
 | sonarqube | mc1arke/sonarqube-with-community-branch-plugin:lts |
 | sonarqube-pg-db | postgres:17-alpine |
 | sonarr | lscr.io/linuxserver/sonarr:latest |

ansible/app-configs/apprise_apprise.yml.j2

@@ -3,4 +3,4 @@
 
 urls:
   - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
-  - mailtos://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf
+  - mailto://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf

ansible/app-configs/crowdsec_config.yaml.j2

@@ -0,0 +1,49 @@
+common:
+  daemonize: false
+  log_media: stdout
+  log_level: info
+  log_dir: /var/log/
+config_paths:
+  config_dir: /etc/crowdsec/
+  data_dir: /var/lib/crowdsec/data/
+  simulation_path: /etc/crowdsec/simulation.yaml
+  hub_dir: /etc/crowdsec/hub/
+  index_path: /etc/crowdsec/hub/.index.json
+  notification_dir: /etc/crowdsec/notifications/
+  plugin_dir: /usr/local/lib/crowdsec/plugins/
+crowdsec_service:
+  acquisition_path: /etc/crowdsec/acquis.yaml
+  acquisition_dir: /etc/crowdsec/acquis.d
+  parser_routines: 1
+plugin_config:
+  user: nobody
+  group: nobody
+cscli:
+  output: human
+db_config:
+  log_level: info
+  type: sqlite
+  db_path: /var/lib/crowdsec/data/crowdsec.db
+  flush:
+    max_items: 5000
+    max_age: 7d
+  use_wal: false
+api:
+  client:
+    insecure_skip_verify: false
+    credentials_path: /etc/crowdsec/local_api_credentials.yaml
+  server:
+    log_level: info
+    listen_uri: 0.0.0.0:8080
+    profiles_path: /etc/crowdsec/profiles.yaml
+    trusted_ips: # IP ranges, or IPs which can have admin API access
+      - 127.0.0.1
+      - ::1
+    online_client: # Central API credentials (to push signals and receive bad IPs)
+      credentials_path: /etc/crowdsec/online_api_credentials.yaml
+    enable: true
+prometheus:
+  enabled: true
+  level: full
+  listen_addr: 0.0.0.0
+  listen_port: 6060

ansible/app-configs/crowdsec_online-api-credentials.yaml.j2

@@ -0,0 +1,6 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+url: https://api.crowdsec.net/
+login: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }}
+password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }}

ansible/app-configs/signoz_common_clickhouse_cluster.ha.xml.j2

@@ -7,7 +7,7 @@
       -->
     <zookeeper>
         <node index="1">
-            <host>zookeeper-1</host>
+            <host>signoz-zookeeper-1</host>
             <port>2181</port>
         </node>
         <node index="2">
@@ -52,7 +52,7 @@
                 <!-- Optional. Shard weight when writing data. Default: 1. -->
                 <!-- <weight>1</weight> -->
                 <replica>
-                    <host>clickhouse</host>
+                    <host>signoz-clickhouse</host>
                     <port>9000</port>
                     <!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
                     <!-- <priority>1</priority> -->

ansible/app-configs/signoz_common_clickhouse_cluster.xml.j2

@@ -7,7 +7,7 @@
       -->
     <zookeeper>
         <node index="1">
-            <host>zookeeper-1</host>
+            <host>signoz-zookeeper-1</host>
             <port>2181</port>
         </node>
         <!-- <node index="2">
@@ -52,7 +52,7 @@
                 <!-- Optional. Shard weight when writing data. Default: 1. -->
                 <!-- <weight>1</weight> -->
                 <replica>
-                    <host>clickhouse</host>
+                    <host>signoz-clickhouse</host>
                     <port>9000</port>
                     <!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
                     <!-- <priority>1</priority> -->

ansible/group_vars/all.yml

@@ -1,14 +1,14 @@
 vault_addr: "https://vault.trez.wtf"
 vault_token: !vault |
   $ANSIBLE_VAULT;1.1;AES256
-  39306238386563313462666238333237346239326636633731326263653639646235363937386333
-  6138653434613437643134653463363230303038373765380a636162663734393632396638313261
-  39613730633935373063663030616131653731376461333762633131633066366165343536323031
-  3539373461383138310a383734313237313231363539383632323130336536656662313861336261
-  65393033633461363837366462656134386430353236343136616161663364376261623834366466
-  30303765393039376666303937663839663630623063666135313636353432396161333434653435
-  32623634313531343466613966663139333234616137646636636134373264333263343533393331
-  32313530373164653730656662383837626139643364376134376634613237323063343731663734
-  36306335303936633334353564306239663563366435316464343039373965383032
+  62353532343234343230663331623062376533346166343963383464303535646362376233663361
+  3532343530653365663331393339646337653564316337390a646264353561623132366635343032
+  63326535376434353837663334366336613631346161363034646134333439613531376362646161
+  6438316662626566340a346665666234386630633764376336333063363934643162393565386330
+  35333139303939613232303264646236326637613862303339353334623066393966353032333839
+  33323962303635333335376364366336663035303530396262356130373537363134303937353433
+  34393338336666396338616465666466613931373461663761366235643437646136373039353939
+  33643133313264303637646336653537383337336661313765663366356262343064316334313337
+  35306232303132653566356130343366313139336665313737363732613261623439
 vault_token_cleaned: "{{ vault_token | regex_replace('\\n', '') }}"
 secrets_path: "rinoa-docker/env"

docker-compose.yml

@@ -1,13 +1,5 @@
 name: compose
 networks:
-  bitmagnet:
-    driver: bridge
-    ipam:
-      config:
-        - gateway: 192.168.55.1
-          subnet: 192.168.55.0/27
-      driver: default
-    name: compose_bitmagnet
   default:
     name: compose_default
   nextcloud-aio:
@@ -51,6 +43,65 @@ x-maxun: &maxun-env
     CHROMIUM_FLAGS: '--disable-gpu --no-sandbox --headless=new'
     #DEBUG: pw:api
     #PWDEBUG: 1
+x-signoz-common: &signoz-common
+  # networks:
+  #   - signoz-net
+  restart: unless-stopped
+  # logging:
+  #   options:
+  #     max-size: 50m
+  #     max-file: "3"
+x-signoz-clickhouse-defaults: &signoz-clickhouse-defaults
+  <<: *signoz-common
+  # addding non LTS version due to this fix https://github.com/ClickHouse/ClickHouse/commit/32caf8716352f45c1b617274c7508c86b7d1afab
+  image: clickhouse/clickhouse-server:24.1.2-alpine
+  tty: true
+  labels:
+    signoz.io/scrape: "true"
+    signoz.io/port: "9363"
+    signoz.io/path: "/metrics"
+  depends_on:
+    signoz-init-clickhouse:
+      condition: service_completed_successfully
+    signoz-zookeeper-1:
+      condition: service_healthy
+  healthcheck:
+    test:
+      - CMD
+      - wget
+      - --spider
+      - -q
+      - 0.0.0.0:8123/ping
+    interval: 30s
+    timeout: 5s
+    retries: 3
+  ulimits:
+    nproc: 65535
+    nofile:
+      soft: 262144
+      hard: 262144
+x-signoz-zookeeper-defaults: &signoz-zookeeper-defaults
+  <<: *signoz-common
+  image: bitnami/zookeeper:3.7.1
+  user: root
+  labels:
+    signoz.io/scrape: "true"
+    signoz.io/port: "9141"
+    signoz.io/path: "/metrics"
+  healthcheck:
+    test:
+      - CMD-SHELL
+      - curl -s -m 2 http://localhost:8080/commands/ruok | grep error | grep null
+    interval: 30s
+    timeout: 5s
+    retries: 3
+x-signoz-db-depend: &signoz-db-depend
+  <<: *signoz-common
+  depends_on:
+    signoz-clickhouse:
+      condition: service_healthy
+    signoz-schema-migrator-sync:
+      condition: service_completed_successfully
 services:
   actual_server:
     container_name: actualbudget
@@ -81,6 +132,7 @@ services:
   adguard:
     cap_add:
       - NET_BIND_SERVICE
+      - NET_RAW
     container_name: adguard
     environment:
       TZ: ${TZ}
@@ -670,36 +722,13 @@ services:
     security_opt:
       - no-new-privileges=true
     volumes:
-      - source: ${DOCKER_VOLUME_CONFIG}/crowdsec/config.yaml.local
-        target: /etc/crowdsec/config.yaml.local
-        type: bind
-        bind:
-          create_host_path: true
-      - source: ${DOCKER_VOLUME_CONFIG}/crowdsec/local_api_credentials.yaml.local
-        target: /etc/crowdsec/local_api_credentials.yaml.local
-        type: bind
-        bind:
-          create_host_path: true
-      - read_only: true
-        source: ${DOCKER_VOLUME_CONFIG}/swag/log/nginx
-        target: /var/log/swag
-        type: bind
-        bind:
-          create_host_path: true
-      - source: crowdsec-config
-        target: /etc/crowdsec
-        type: volume
-        volume: {}
-      - source: crowdsec-db
-        target: /var/lib/crowdsec/data
-        type: volume
-        volume: {}
-      - bind:
-          create_host_path: true
-        read_only: true
-        source: /var/log/journal
-        target: /var/log/host
-        type: bind
+      - ${DOCKER_VOLUME_CONFIG}/crowdsec/config.yaml.local:/etc/crowdsec/config.yaml
+      - ${DOCKER_VOLUME_CONFIG}/crowdsec/local-api-credentials.yaml:/etc/crowdsec/local_api_credentials.yaml
+      - ${DOCKER_VOLUME_CONFIG}/crowdsec/online-api-credentials.yaml:/etc/crowdsec/online_api_credentials.yaml
+      - ${DOCKER_VOLUME_CONFIG}/swag/log/nginx:/var/log/swag:ro
+      - crowdsec-config:/etc/crowdsec
+      - crowdsec-db:/var/lib/crowdsec/data
+      - /var/log/journal:/var/log/host:ro
   crowdsec-dashboard:
     container_name: crowdsec-dashboard
     depends_on:
@@ -987,6 +1016,62 @@ services:
         source: /var/run/docker.sock
         target: /var/run/docker.sock
         type: bind
+  dockflare:
+    container_name: dockflare
+    environment:
+      AGENT_STATUS_UPDATE_INTERVAL_SECONDS: 10
+      CF_ACCOUNT_ID: ${CLOUDFLARE_ACCOUNT_ID}
+      CF_API_TOKEN: ${CLOUDFLAREDDNS_ENVIRONMENT_APITOKEN}
+      CF_ZONE_ID: ${CLOUDFLARE_ZONE_ID}
+      CLEANUP_INTERVAL_SECONDS: 300
+      CLOUDFLARED_NETWORK_NAME: compose_default
+      DEFAULT_NO_TLS_VERIFY: false
+      GRACE_PERIOD_SECONDS: 600
+      LABEL_PREFIX: cloudflare.tunnel
+      MAX_CONCURRENT_DNS_OPS: 3
+      RECONCILIATION_BATCH_SIZE: 3
+      SCAN_ALL_NETWORKS: false
+      STATE_FILE_PATH: /app/data/state.json
+      TRUSTED_PROXIES: 192.168.1.0/24,172.18.0.0/16
+      TUNNEL_DNS_SCAN_ZONE_NAMES:
+      TUNNEL_NAME: dockflared-tunnel
+      TZ: ${TZ}
+    image: alplat/dockflare:stable # Or :unstable for the latest features
+    labels:
+      homepage.group: Privacy/Security
+      homepage.name: DockFlare
+      homepage.href: https://cftunn.${MY_TLD}
+      homepage.icon: /icons/dockflare.png
+      homepage.description: Cloudflare Tunnel controller
+      swag: enable
+      swag_auth: authelia
+      swag_proto: http
+      swag_url: cftunn.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://cftunn.${MY_TLD}
+      swag.uptime-kuma.monitor.interval: 300
+      ### EXAMPLE CF TUNNEL LABELS ###
+      # Enable DockFlare management for this container
+      # - "cloudflare.tunnel.enable=true" 
+      # The public hostname to expose
+      # - "cloudflare.tunnel.hostname=my-service.example.com"
+      # The internal service address (protocol://container_name_or_ip:port)
+      # Service type (http, https, tcp, ssh, rdp, http_status) is inferred from the prefix.
+      # - "cloudflare.tunnel.service=http://my-service:80" 
+      # Optional: Specify a URL path. Only requests to hostname/path will match.
+      # - "cloudflare.tunnel.path=/app"
+      # Optional: Specify a different Cloudflare Zone for this hostname
+      # - "cloudflare.tunnel.zonename=another.example.com"
+      # Optional: Disable TLS verification if your internal service uses HTTP or a self-signed cert
+      # - "cloudflare.tunnel.no_tls_verify=true"
+      # Optional: Specify Origin Server Name (SNI) for TLS connection to origin
+      # - "cloudflare.tunnel.originsrvname=internal.service.local"
+    ports:
+      - 20756:5000
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - dockflare_data:/app/data
   duplicati:
     container_name: duplicati
     environment:
@@ -1177,13 +1262,14 @@ services:
       TIMEZONE: ${TZ}
     image: tiredofit/freescout:latest
     labels:
-      homepage.group: Lifestyle
+      homepage.group: Personal/Professional Services
       homepage.name: FreeScout
       homepage.icon: sh-freescout.svg
       homepage.href: https://support.${MY_TLD}
       homepage.description: Lightweight help desk and shared inbox
       swag: enable
       swag_proto: http
+      swag_port: 80
       swag_url: support.${MY_TLD}
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://support.${MY_TLD}
@@ -1259,7 +1345,7 @@ services:
       GITEA__mailer__SMTP_PORT: 25
       GITEA__mailer__USER: ${POSTAL_SMTP_AUTH_USER}
       GITEA__mailer__PASSWD: ${POSTAL_SMTP_AUTH_PASSWORD}
-    image: gitea/gitea:1.23.1
+    image: gitea/gitea:1.24.0
     labels:
       homepage.group: Code/DevOps
       homepage.name: Gitea
@@ -1366,13 +1452,7 @@ services:
       VPN_SERVICE_PROVIDER: private internet access
     expose:
       - 8000
-    extra_hosts:
-      - bitmagnet-pg-db:192.168.55.8
     image: qmcgaw/gluetun:latest
-    networks:
-      bitmagnet:
-        ipv4_address: 192.168.55.7
-      default: null
     ports:
       - 3333:3333
       - 3334:3334
@@ -4434,6 +4514,145 @@ services:
       - semaphore_config:/etc/semaphore
       - semaphore_data:/var/lib/semaphore
       - semaphore_tmp:/tmp/semaphore
+  signoz-init-clickhouse:
+    <<: *signoz-common
+    container_name: signoz-init-clickhouse
+    command:
+      - bash
+      - -c
+      - |
+        version="v0.0.1"
+        node_os=$$(uname -s | tr '[:upper:]' '[:lower:]')
+        node_arch=$$(uname -m | sed s/aarch64/arm64/ | sed s/x86_64/amd64/)
+        echo "Fetching histogram-binary for $${node_os}/$${node_arch}"
+        cd /tmp
+        wget -O histogram-quantile.tar.gz "https://github.com/SigNoz/signoz/releases/download/histogram-quantile%2F$${version}/histogram-quantile_$${node_os}_$${node_arch}.tar.gz"
+        tar -xvzf histogram-quantile.tar.gz
+        mv histogram-quantile /var/lib/clickhouse/user_scripts/histogramQuantile
+    image: clickhouse/clickhouse-server:24.1.2-alpine
+    restart: on-failure
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/clickhouse/user_scripts/:/var/lib/clickhouse/user_scripts/
+  signoz-zookeeper-1:
+    <<: *signoz-zookeeper-defaults
+    container_name: signoz-zookeeper-1
+    environment:
+      ZOO_SERVER_ID: 1
+      ALLOW_ANONYMOUS_LOGIN: yes
+      ZOO_AUTOPURGE_INTERVAL: 1
+      ZOO_ENABLE_PROMETHEUS_METRICS: yes
+      ZOO_PROMETHEUS_METRICS_PORT_NUMBER: 9141
+    # ports:
+    #   - "2181:2181"
+    #   - "2888:2888"
+    #   - "3888:3888"
+    volumes:
+      - signoz-zookeeper-1:/bitnami/zookeeper
+  signoz-clickhouse:
+    <<: *signoz-clickhouse-defaults
+    container_name: signoz-clickhouse
+    expose:
+      - 9000
+    ports:
+    #   - "9000:9000"
+      - "8123:8123"
+      - "9181:9181"
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/clickhouse/config.xml:/etc/clickhouse-server/config.xml
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/clickhouse/users.xml:/etc/clickhouse-server/users.xml
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/clickhouse/custom-function.xml:/etc/clickhouse-server/custom-function.xml
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/clickhouse/user_scripts:/var/lib/clickhouse/user_scripts/
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/clickhouse/cluster.xml:/etc/clickhouse-server/config.d/cluster.xml
+      - signoz-clickhouse:/var/lib/clickhouse/
+      # - ${DOCKER_VOLUME_CONFIG}/signoz/common/clickhouse/storage.xml:/etc/clickhouse-server/config.d/storage.xml
+  signoz-app:
+    <<: *signoz-db-depend
+    container_name: signoz-app
+    command:
+      - --config=/root/config/prometheus.yml
+    environment:
+       SIGNOZ_ALERTMANAGER_PROVIDER: signoz
+       SIGNOZ_TELEMETRYSTORE_CLICKHOUSE_DSN: tcp://signoz-clickhouse:9000
+       SIGNOZ_SQLSTORE_SQLITE_PATH: /var/lib/signoz/signoz.db
+       DASHBOARDS_PATH: /root/config/dashboards
+       STORAGE: clickhouse
+       GODEBUG: netdns=go
+       TELEMETRY_ENABLED: true
+       DEPLOYMENT_TYPE: docker-standalone-amd
+    healthcheck:
+      test:
+        - CMD
+        - wget
+        - --spider
+        - -q
+        - localhost:8080/api/v1/health
+      interval: 30s
+      timeout: 5s
+      retries: 3
+    image: signoz/signoz:${VERSION:-v0.86.2}
+    labels:
+      homepage.group: Infrastructure/App Performance Monitoring
+      homepage.name: Signoz
+      homepage.href: https://apm.${MY_TLD}
+      homepage.icon: signoz.svg
+      homepage.description: Logs, metrics, and traces in a single pane
+      swag: enable
+      swag_proto: http
+      swag_port: 8080
+      swag_url: apm.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://apm.${MY_TLD}
+      swag.uptime-kuma.monitor.interval: 300
+    ports:
+      - 36113:8080 # signoz port
+      # - "6060:6060"     # pprof port
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/prometheus.yml:/root/config/prometheus.yml
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/dashboards:/root/config/dashboards
+      - signoz-sqlite:/var/lib/signoz/
+  signoz-otel-collector:
+    <<: *signoz-db-depend
+    container_name: signoz-otel-collector
+    command:
+      - --config=/etc/otel-collector-config.yaml
+      - --manager-config=/etc/manager-config.yaml
+      - --copy-path=/var/tmp/collector-config.yaml
+      - --feature-gates=-pkg.translator.prometheus.NormalizeName
+    depends_on:
+      signoz-app:
+        condition: service_healthy
+    environment:
+      OTEL_RESOURCE_ATTRIBUTES: host.name=signoz-host,os.type=linux
+      LOW_CARDINAL_EXCEPTION_GROUPING: false
+    image: signoz/signoz-otel-collector:${OTELCOL_TAG:-v0.111.42}
+    ports:
+      # - "1777:1777"     # pprof extension
+      - "4317:4317" # OTLP gRPC receiver
+      - "4318:4318" # OTLP HTTP receiver
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/otel/otel-collector-config.yaml:/etc/otel-collector-config.yaml
+      - ${DOCKER_VOLUME_CONFIG}/signoz/common/otel/otel-collector-opamp-config.yaml:/etc/manager-config.yaml
+  signoz-schema-migrator-sync:
+    <<: *signoz-common
+    image: signoz/signoz-schema-migrator:${OTELCOL_TAG:-v0.111.42}
+    container_name: schema-migrator-sync
+    command:
+      - sync
+      - --dsn=tcp://signoz-clickhouse:9000
+      - --up=
+    depends_on:
+      signoz-clickhouse:
+        condition: service_healthy
+    restart: on-failure
+  signoz-schema-migrator-async:
+    <<: *signoz-db-depend
+    image: signoz/signoz-schema-migrator:${OTELCOL_TAG:-v0.111.42}
+    container_name: schema-migrator-async
+    command:
+      - async
+      - --dsn=tcp://signoz-clickhouse:9000
+      - --up=
+    restart: on-failure
   sonarqube:
     container_name: sonarqube
     depends_on:
@@ -5235,6 +5454,8 @@ volumes:
     name: dawarich_public
   dawarich_watched:
     name: dawarich_watched
+  dockflare_data:
+    name: dockflare_data
   fastenhealth-cache:
     name: fastenhealth-cache
   fastenhealth-db:
@@ -5313,6 +5534,12 @@ volumes:
     name: semaphore_data
   semaphore_tmp:
     name: semaphore_tmp
+  signoz-clickhouse:
+    name: signoz-clickhouse
+  signoz-sqlite:
+    name: signoz-sqlite
+  signoz-zookeeper-1:
+    name: signoz-zookeeper-1
   sonarqube-data:
     name: sonarqube-data
   sonarqube-db: