fix: workflows

.gitea/workflows/docs.pivoine.art.yaml

@@ -46,13 +46,3 @@ jobs:
           target: /var/www/docs.pivoine.art # Set to your deployment directory (for example /public_html)
           strip_components: 1 # This ensures that a subdirectory is not created
           rm: 1
-      - name: Docker compose restart
-        uses: appleboy/ssh-action@v1
-        with:
-          host: ${{ secrets.HOST }}
-          username: ${{ secrets.USERNAME }}
-          password: ${{ secrets.PASSWORD }}
-          port: ${{ secrets.PORT }}
-          script: |
-            cd Projects/kompose/docs
-            docker compose restart

.gitea/workflows/sexy.pivoine.art.yaml

@@ -61,13 +61,3 @@ jobs:
           target: /var/www/sexy.pivoine.art # Set to your deployment directory (for example /public_html)
           strip_components: 1 # This ensures that a subdirectory is not created
           rm: 1
-      - name: Docker compose restart
-        uses: appleboy/ssh-action@v1
-        with:
-          host: ${{ secrets.HOST }}
-          username: ${{ secrets.USERNAME }}
-          password: ${{ secrets.PASSWORD }}
-          port: ${{ secrets.PORT }}
-          script: |
-            cd Projects/kompose/sexy
-            docker compose restart

.init/bin/mirror_project.sh

@@ -10,10 +10,12 @@ rm -rf $CURRENT_PROJECT/.env $CURRENT_PROJECT/**/uploads/ $CURRENT_PROJECT/**/*.
 
 if [[ `git add -A && git diff --quiet && git diff --cached --quiet` ]]; then
   # Changes
+  echo "CHANGES in ${CURRENT_PROJECT} - Mirroring..."
   git commit -m "$1"
   git push
 else
   # No changes
+  echo "NO CHANGES in ${CURRENT_PROJECT} - Aborting..."
   git reset
   echo "no changes to latest posts"
   exit 0

Projects/kompose/MIGRATION_GUIDE.md

@@ -0,0 +1,315 @@
+# Kompose Configuration Update - Migration Guide
+
+## Overview
+
+This update restructures your Kompose project to be more secure and maintainable by:
+
+1. **Separating sensitive data** - All secrets moved to `secrets.env`
+2. **Stack-scoped variables** - Configuration variables prefixed with stack names
+3. **Centralized configuration** - All variables defined in top-level `.env`
+4. **Automatic secret generation** - Generate cryptographically secure secrets with one command
+5. **Traefik control** - Enable/disable Traefik per service with `${STACK}_TRAEFIK_ENABLED`
+
+## Files Created
+
+### 1. `.env` (Updated)
+- Contains **NON-SENSITIVE** configuration for all stacks
+- Variables are scoped with stack names (e.g., `TRACK_TRAEFIK_HOST`, `AUTH_DB_NAME`)
+- Committed to git
+
+### 2. `secrets.env.template`
+- Template file for generating secrets
+- Contains placeholder values: `CHANGE_ME_GENERATE_WITH_KOMPOSE`
+- Committed to git as a reference
+
+### 3. `secrets.env` (Generated)
+- Contains **ALL SENSITIVE DATA** (passwords, tokens, keys)
+- Auto-generated from template with `./kompose.sh --generate-secrets`
+- **NEVER committed to git** (automatically added to `.gitignore`)
+
+### 4. `kompose.sh` (Updated)
+- Now loads both `.env` and `secrets.env`
+- New `--generate-secrets` command for generating random secrets
+- Automatically backs up existing `secrets.env` before regeneration
+
+## Migration Steps
+
+### Step 1: Generate Secrets
+
+```bash
+# This will create secrets.env from the template
+./kompose.sh --generate-secrets
+```
+
+This command will:
+- Read `secrets.env.template`
+- Generate cryptographically secure random values for all secrets
+- Save them to `secrets.env`
+- Add `secrets.env` to `.gitignore` if not already present
+- Backup existing `secrets.env` if it exists
+
+### Step 2: Update Your Stack Files
+
+Each stack needs to be updated to use the new variable naming pattern:
+
+#### Before (track/.env):
+```bash
+COMPOSE_PROJECT_NAME=track
+DOCKER_IMAGE=ghcr.io/umami-software/umami:postgresql-latest
+DB_NAME=umami
+TRAEFIK_HOST=umami.pivoine.art
+APP_PORT=3000
+APP_SECRET=changeme
+```
+
+#### After (track/.env):
+```bash
+COMPOSE_PROJECT_NAME=track
+# All other variables are now in root .env and secrets.env
+```
+
+#### Before (track/compose.yaml):
+```yaml
+environment:
+  DATABASE_URL: postgresql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}
+  APP_SECRET: ${APP_SECRET}
+labels:
+  - 'traefik.enable=true'
+  - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.rule=Host(`$TRAEFIK_HOST`)'
+```
+
+#### After (track/compose.yaml):
+```yaml
+environment:
+  DATABASE_URL: postgresql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${TRACK_DB_NAME}
+  APP_SECRET: ${TRACK_APP_SECRET}
+labels:
+  - 'traefik.enable=${TRACK_TRAEFIK_ENABLED}'
+  - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.rule=Host(`${TRACK_TRAEFIK_HOST}`)'
+```
+
+### Step 3: Update Root .env
+
+Add configuration for each stack in the root `.env`:
+
+```bash
+# -------------------------------------------------------------------
+# TRACK Stack (Umami Analytics)
+# -------------------------------------------------------------------
+TRACK_TRAEFIK_ENABLED=true
+TRACK_TRAEFIK_HOST=umami.pivoine.art
+TRACK_DB_NAME=umami
+TRACK_DOCKER_IMAGE=ghcr.io/umami-software/umami:postgresql-latest
+TRACK_APP_PORT=3000
+```
+
+### Step 4: Update secrets.env.template
+
+Add secret placeholders for each stack:
+
+```bash
+# -------------------------------------------------------------------
+# TRACK Stack Secrets (Umami)
+# -------------------------------------------------------------------
+TRACK_APP_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
+```
+
+### Step 5: Regenerate Secrets (if needed)
+
+After updating the template, regenerate secrets:
+
+```bash
+./kompose.sh --generate-secrets
+```
+
+Your old secrets will be backed up automatically.
+
+## Variable Naming Convention
+
+### Stack Configuration Variables (in root .env)
+```
+{STACK_NAME}_{VARIABLE_NAME}
+
+Examples:
+TRACK_TRAEFIK_HOST=umami.pivoine.art
+TRACK_DB_NAME=umami
+TRACK_DOCKER_IMAGE=ghcr.io/umami-software/umami:postgresql-latest
+AUTH_TRAEFIK_HOST=auth.pivoine.art
+AUTH_DB_NAME=keycloak
+```
+
+### Stack Secrets (in secrets.env)
+```
+{STACK_NAME}_{SECRET_NAME}
+
+Examples:
+TRACK_APP_SECRET=<generated-64-char-hex>
+AUTH_KC_ADMIN_PASSWORD=<generated-32-char-password>
+DB_PASSWORD=<generated-32-char-password>
+```
+
+### Shared Variables (in root .env)
+```
+DB_USER=valknar
+DB_HOST=postgres
+DB_PORT=5432
+ADMIN_EMAIL=admin@example.com
+NETWORK_NAME=kompose
+```
+
+## Example Stack Configurations
+
+### Example 1: Track Stack (Umami)
+
+**Root .env:**
+```bash
+TRACK_TRAEFIK_ENABLED=true
+TRACK_TRAEFIK_HOST=umami.pivoine.art
+TRACK_DB_NAME=umami
+TRACK_DOCKER_IMAGE=ghcr.io/umami-software/umami:postgresql-latest
+```
+
+**secrets.env.template:**
+```bash
+TRACK_APP_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
+```
+
+**track/compose.yaml:**
+```yaml
+services:
+  umami:
+    image: ${TRACK_DOCKER_IMAGE}
+    environment:
+      DATABASE_URL: postgresql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${TRACK_DB_NAME}
+      APP_SECRET: ${TRACK_APP_SECRET}
+    labels:
+      - 'traefik.enable=${TRACK_TRAEFIK_ENABLED}'
+      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.rule=Host(`${TRACK_TRAEFIK_HOST}`)'
+```
+
+### Example 2: Auth Stack (Keycloak)
+
+**Root .env:**
+```bash
+AUTH_TRAEFIK_ENABLED=true
+AUTH_TRAEFIK_HOST=auth.pivoine.art
+AUTH_DB_NAME=keycloak
+AUTH_DOCKER_IMAGE=quay.io/keycloak/keycloak:latest
+```
+
+**secrets.env.template:**
+```bash
+AUTH_KC_ADMIN_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE
+```
+
+**auth/compose.yaml:**
+```yaml
+services:
+  keycloak:
+    image: ${AUTH_DOCKER_IMAGE}
+    environment:
+      KC_DB_URL: jdbc:postgresql://${DB_HOST}:${DB_PORT}/${AUTH_DB_NAME}
+      KC_BOOTSTRAP_ADMIN_PASSWORD: ${AUTH_KC_ADMIN_PASSWORD}
+    labels:
+      - 'traefik.enable=${AUTH_TRAEFIK_ENABLED}'
+      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.rule=Host(`${AUTH_TRAEFIK_HOST}`)'
+```
+
+## Traefik Control
+
+Every service now has a `${STACK}_TRAEFIK_ENABLED` variable that controls whether Traefik routes to it:
+
+```yaml
+labels:
+  - 'traefik.enable=${TRACK_TRAEFIK_ENABLED}'  # true or false
+```
+
+To disable Traefik for a stack, simply set it to `false` in the root `.env`:
+
+```bash
+TRACK_TRAEFIK_ENABLED=false
+```
+
+## Secret Generation Patterns
+
+The `--generate-secrets` command generates different types of secrets based on variable naming:
+
+| Variable Pattern | Generated Secret Type | Length | Example |
+|-----------------|----------------------|--------|---------|
+| `*_PASSWORD` | Alphanumeric password | 32 chars | `DB_PASSWORD`, `ADMIN_PASSWORD` |
+| `*_SECRET`, `*_ENCRYPTION_KEY` | Hex string | 64 chars (32 bytes) | `TRACK_APP_SECRET`, `N8N_ENCRYPTION_KEY` |
+| `*_TOKEN` | Alphanumeric token | 40 chars | `GITEA_RUNNER_TOKEN` |
+| `*_HASH` | Hex hash | 64 chars (32 bytes) | `PASSWORD_HASH` |
+| Default | Alphanumeric | 32 chars | Any other variable |
+
+## Security Best Practices
+
+### ✅ DO:
+- Keep `secrets.env` in `.gitignore`
+- Use the provided `secrets.env.template` as reference
+- Regenerate secrets when setting up new environments
+- Use stack-scoped variable names
+- Store secrets in `secrets.env` only
+
+### ❌ DON'T:
+- Commit `secrets.env` to git
+- Hard-code secrets in compose files
+- Share secrets in plain text (use password managers)
+- Use the same secrets across environments
+- Store configuration in stack `.env` files anymore
+
+## Quick Reference
+
+### Generate secrets:
+```bash
+./kompose.sh --generate-secrets
+```
+
+### Start all stacks:
+```bash
+./kompose.sh "*" up -d
+```
+
+### View help:
+```bash
+./kompose.sh --help
+```
+
+### List stacks:
+```bash
+./kompose.sh --list
+```
+
+## Troubleshooting
+
+### "Secrets file not found"
+Run: `./kompose.sh --generate-secrets`
+
+### "Variable not set" errors
+Make sure you've:
+1. Updated root `.env` with stack-scoped variables
+2. Generated `secrets.env`
+3. Updated compose files to use new variable names
+
+### Need to regenerate a single secret?
+Edit `secrets.env` directly and replace the value, or regenerate all secrets (old secrets will be backed up).
+
+## Example Complete Setup
+
+See the `.new` files in `track/` and `auth/` directories for complete examples of the new structure.
+
+To apply them:
+```bash
+cd track
+mv compose.yaml.new compose.yaml
+mv .env.new .env
+
+cd ../auth
+mv compose.yaml.new compose.yaml
+mv .env.new .env
+```
+
+Then regenerate your secrets:
+```bash
+./kompose.sh --generate-secrets
+```

Projects/kompose/auth/.env.new

@@ -0,0 +1,6 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=auth
+
+# Note: All configuration variables are now in the root .env file
+# with AUTH_ prefix (e.g., AUTH_TRAEFIK_HOST, AUTH_DOCKER_IMAGE, AUTH_DB_NAME)
+# All secrets are in secrets.env (e.g., AUTH_KC_ADMIN_PASSWORD)

Projects/kompose/auth/compose.yaml.new

@@ -0,0 +1,41 @@
+name: auth
+
+services:
+  keycloak:
+    image: ${AUTH_DOCKER_IMAGE}
+    container_name: ${COMPOSE_PROJECT_NAME}_keycloak
+    restart: unless-stopped
+    environment:
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://${DB_HOST}:${DB_PORT}/${AUTH_DB_NAME}
+      KC_DB_USERNAME: ${DB_USER}
+      KC_DB_PASSWORD: ${DB_PASSWORD}
+      KC_DB_SCHEMA: public
+      KC_HOSTNAME: https://${AUTH_TRAEFIK_HOST}
+      KC_HTTP_ENABLED: true
+      HTTP_ADDRESS_FORWARDING: true
+      KC_BOOTSTRAP_ADMIN_USERNAME: admin
+      KC_BOOTSTRAP_ADMIN_PASSWORD: ${AUTH_KC_ADMIN_PASSWORD}
+      KC_PROXY: edge
+      KC_FEATURES: docker
+    command: start
+    networks:
+      - kompose_network
+    labels:
+      - 'traefik.enable=${AUTH_TRAEFIK_ENABLED}'
+      - 'traefik.http.middlewares.${COMPOSE_PROJECT_NAME}-redirect-web-secure.redirectscheme.scheme=https'
+      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.middlewares=${COMPOSE_PROJECT_NAME}-redirect-web-secure'
+      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.rule=Host(`${AUTH_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.entrypoints=web'
+      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web-secure.rule=Host(`${AUTH_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver'
+      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure'
+      - 'traefik.http.middlewares.${COMPOSE_PROJECT_NAME}-web-secure-compress.compress=true'
+      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web-secure.middlewares=${COMPOSE_PROJECT_NAME}-web-secure-compress'
+      - 'traefik.http.services.${COMPOSE_PROJECT_NAME}-web-secure.loadbalancer.server.port=8080'
+      - 'traefik.docker.network=${NETWORK_NAME:-kompose}'
+
+networks:
+  kompose_network:
+    name: ${NETWORK_NAME:-kompose}
+    external: true

Projects/kompose/secrets.env.template

@@ -0,0 +1,51 @@
+# ===================================================================
+# KOMPOSE - Secrets Configuration
+# ===================================================================
+# This file contains SENSITIVE data and should NOT be committed to git.
+# Add secrets.env to your .gitignore file!
+#
+# Generate random secrets with: ./kompose.sh --generate-secrets
+# ===================================================================
+
+# -------------------------------------------------------------------
+# Database Passwords (Shared)
+# -------------------------------------------------------------------
+DB_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE
+
+# -------------------------------------------------------------------
+# Admin Passwords
+# -------------------------------------------------------------------
+ADMIN_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE
+
+# -------------------------------------------------------------------
+# Email/SMTP Passwords
+# -------------------------------------------------------------------
+EMAIL_SMTP_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE
+
+# -------------------------------------------------------------------
+# AUTH Stack Secrets (Keycloak)
+# -------------------------------------------------------------------
+AUTH_KC_ADMIN_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE
+
+# -------------------------------------------------------------------
+# TRACK Stack Secrets (Umami)
+# -------------------------------------------------------------------
+# APP_SECRET for Umami (64 character hex string)
+TRACK_APP_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
+
+# -------------------------------------------------------------------
+# Add more stack secrets below (scope them with stack name)
+# -------------------------------------------------------------------
+# BLOG_SECRET_KEY=CHANGE_ME_GENERATE_WITH_KOMPOSE
+# CHAT_ENCRYPTION_KEY=CHANGE_ME_GENERATE_WITH_KOMPOSE
+# DATA_DIRECTUS_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
+# CODE_GITEA_RUNNER_TOKEN=CHANGE_ME_GENERATE_WITH_KOMPOSE
+# etc...
+
+# Example secrets from your current .env that should be scoped:
+# GITEA_RUNNER_REGISTRATION_TOKEN=CHANGE_ME_GENERATE_WITH_KOMPOSE
+# NEXTAUTH_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
+# JWT_TOKEN=CHANGE_ME_GENERATE_WITH_KOMPOSE
+# N8N_ENCRYPTION_KEY=CHANGE_ME_GENERATE_WITH_KOMPOSE
+# DIRECTUS_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
+# PASSWORD_HASH=CHANGE_ME_GENERATE_WITH_KOMPOSE

Projects/kompose/track/.env.new

@@ -0,0 +1,6 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=track
+
+# Note: All configuration variables are now in the root .env file
+# with TRACK_ prefix (e.g., TRACK_TRAEFIK_HOST, TRACK_DOCKER_IMAGE)
+# All secrets are in secrets.env (e.g., TRACK_APP_SECRET)

Projects/kompose/track/compose.yaml.new

@@ -0,0 +1,37 @@
+name: track
+
+services:
+  umami:
+    image: ${TRACK_DOCKER_IMAGE}
+    container_name: ${COMPOSE_PROJECT_NAME}_app
+    restart: unless-stopped
+    environment:
+      DATABASE_URL: postgresql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${TRACK_DB_NAME}
+      DATABASE_TYPE: postgresql
+      APP_SECRET: ${TRACK_APP_SECRET}
+    networks:
+      - kompose_network
+    healthcheck:
+      test: ["CMD-SHELL", "curl -f http://localhost:3000/api/heartbeat || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 40s
+    labels:
+      - 'traefik.enable=${TRACK_TRAEFIK_ENABLED}'
+      - 'traefik.http.middlewares.${COMPOSE_PROJECT_NAME}-redirect-web-secure.redirectscheme.scheme=https'
+      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.middlewares=${COMPOSE_PROJECT_NAME}-redirect-web-secure'
+      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.rule=Host(`${TRACK_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.entrypoints=web'
+      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web-secure.rule=Host(`${TRACK_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver'
+      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure'
+      - 'traefik.http.middlewares.${COMPOSE_PROJECT_NAME}-web-secure-compress.compress=true'
+      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web-secure.middlewares=${COMPOSE_PROJECT_NAME}-web-secure-compress'
+      - 'traefik.http.services.${COMPOSE_PROJECT_NAME}-web-secure.loadbalancer.server.port=3000'
+      - 'traefik.docker.network=${NETWORK_NAME:-kompose}'
+
+networks:
+  kompose_network:
+    name: ${NETWORK_NAME:-kompose}
+    external: true