fix: workflows

2025-10-11 11:03:57 +02:00
parent 46ab66c600
commit c69e86fb95
10 changed files with 619 additions and 162 deletions
--- a/.claude.json
+++ b/.claude.json
--- a/.gitea/workflows/docs.pivoine.art.yaml
+++ b/.gitea/workflows/docs.pivoine.art.yaml
@@ -46,13 +46,3 @@ jobs:
          target: /var/www/docs.pivoine.art # Set to your deployment directory (for example /public_html)
          strip_components: 1 # This ensures that a subdirectory is not created
          rm: 1
      - name: Docker compose restart
        uses: appleboy/ssh-action@v1
        with:
          host: ${{ secrets.HOST }}
          username: ${{ secrets.USERNAME }}
          password: ${{ secrets.PASSWORD }}
          port: ${{ secrets.PORT }}
          script: |
            cd Projects/kompose/docs
            docker compose restart
--- a/.gitea/workflows/sexy.pivoine.art.yaml
+++ b/.gitea/workflows/sexy.pivoine.art.yaml
@@ -61,13 +61,3 @@ jobs:
          target: /var/www/sexy.pivoine.art # Set to your deployment directory (for example /public_html)
          strip_components: 1 # This ensures that a subdirectory is not created
          rm: 1
      - name: Docker compose restart
        uses: appleboy/ssh-action@v1
        with:
          host: ${{ secrets.HOST }}
          username: ${{ secrets.USERNAME }}
          password: ${{ secrets.PASSWORD }}
          port: ${{ secrets.PORT }}
          script: |
            cd Projects/kompose/sexy
            docker compose restart
--- a/.init/bin/mirror_project.sh
+++ b/.init/bin/mirror_project.sh
@@ -10,10 +10,12 @@ rm -rf $CURRENT_PROJECT/.env $CURRENT_PROJECT/**/uploads/ $CURRENT_PROJECT/**/*.
 if [[ `git add -A && git diff --quiet && git diff --cached --quiet` ]]; then
  # Changes
  echo "CHANGES in ${CURRENT_PROJECT} - Mirroring..."
  git commit -m "$1"
  git push
 else
  # No changes
  echo "NO CHANGES in ${CURRENT_PROJECT} - Aborting..."
  git reset
  echo "no changes to latest posts"
  exit 0
--- a/Projects/kompose/MIGRATION_GUIDE.md
+++ b/Projects/kompose/MIGRATION_GUIDE.md
@@ -0,0 +1,315 @@
 # Kompose Configuration Update - Migration Guide
 ## Overview
 This update restructures your Kompose project to be more secure and maintainable by:
 1. **Separating sensitive data** - All secrets moved to `secrets.env`
 2. **Stack-scoped variables** - Configuration variables prefixed with stack names
 3. **Centralized configuration** - All variables defined in top-level `.env`
 4. **Automatic secret generation** - Generate cryptographically secure secrets with one command
 5. **Traefik control** - Enable/disable Traefik per service with `${STACK}_TRAEFIK_ENABLED`
 ## Files Created
 ### 1. `.env` (Updated)
 - Contains **NON-SENSITIVE** configuration for all stacks
 - Variables are scoped with stack names (e.g., `TRACK_TRAEFIK_HOST`, `AUTH_DB_NAME`)
 - Committed to git
 ### 2. `secrets.env.template`
 - Template file for generating secrets
 - Contains placeholder values: `CHANGE_ME_GENERATE_WITH_KOMPOSE`
 - Committed to git as a reference
 ### 3. `secrets.env` (Generated)
 - Contains **ALL SENSITIVE DATA** (passwords, tokens, keys)
 - Auto-generated from template with `./kompose.sh --generate-secrets`
 - **NEVER committed to git** (automatically added to `.gitignore`)
 ### 4. `kompose.sh` (Updated)
 - Now loads both `.env` and `secrets.env`
 - New `--generate-secrets` command for generating random secrets
 - Automatically backs up existing `secrets.env` before regeneration
 ## Migration Steps
 ### Step 1: Generate Secrets
 ```bash
 # This will create secrets.env from the template
 ./kompose.sh --generate-secrets
 ```
 This command will:
 - Read `secrets.env.template`
 - Generate cryptographically secure random values for all secrets
 - Save them to `secrets.env`
 - Add `secrets.env` to `.gitignore` if not already present
 - Backup existing `secrets.env` if it exists
 ### Step 2: Update Your Stack Files
 Each stack needs to be updated to use the new variable naming pattern:
 #### Before (track/.env):
 ```bash
 COMPOSE_PROJECT_NAME=track
 DOCKER_IMAGE=ghcr.io/umami-software/umami:postgresql-latest
 DB_NAME=umami
 TRAEFIK_HOST=umami.pivoine.art
 APP_PORT=3000
 APP_SECRET=changeme
 ```
 #### After (track/.env):
 ```bash
 COMPOSE_PROJECT_NAME=track
 # All other variables are now in root .env and secrets.env
 ```
 #### Before (track/compose.yaml):
 ```yaml
 environment:
  DATABASE_URL: postgresql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}
  APP_SECRET: ${APP_SECRET}
 labels:
  - 'traefik.enable=true'
  - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.rule=Host(`$TRAEFIK_HOST`)'
 ```
 #### After (track/compose.yaml):
 ```yaml
 environment:
  DATABASE_URL: postgresql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${TRACK_DB_NAME}
  APP_SECRET: ${TRACK_APP_SECRET}
 labels:
  - 'traefik.enable=${TRACK_TRAEFIK_ENABLED}'
  - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.rule=Host(`${TRACK_TRAEFIK_HOST}`)'
 ```
 ### Step 3: Update Root .env
 Add configuration for each stack in the root `.env`:
 ```bash
 # -------------------------------------------------------------------
 # TRACK Stack (Umami Analytics)
 # -------------------------------------------------------------------
 TRACK_TRAEFIK_ENABLED=true
 TRACK_TRAEFIK_HOST=umami.pivoine.art
 TRACK_DB_NAME=umami
 TRACK_DOCKER_IMAGE=ghcr.io/umami-software/umami:postgresql-latest
 TRACK_APP_PORT=3000
 ```
 ### Step 4: Update secrets.env.template
 Add secret placeholders for each stack:
 ```bash
 # -------------------------------------------------------------------
 # TRACK Stack Secrets (Umami)
 # -------------------------------------------------------------------
 TRACK_APP_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
 ```
 ### Step 5: Regenerate Secrets (if needed)
 After updating the template, regenerate secrets:
 ```bash
 ./kompose.sh --generate-secrets
 ```
 Your old secrets will be backed up automatically.
 ## Variable Naming Convention
 ### Stack Configuration Variables (in root .env)
 ```
 {STACK_NAME}_{VARIABLE_NAME}
 Examples:
 TRACK_TRAEFIK_HOST=umami.pivoine.art
 TRACK_DB_NAME=umami
 TRACK_DOCKER_IMAGE=ghcr.io/umami-software/umami:postgresql-latest
 AUTH_TRAEFIK_HOST=auth.pivoine.art
 AUTH_DB_NAME=keycloak
 ```
 ### Stack Secrets (in secrets.env)
 ```
 {STACK_NAME}_{SECRET_NAME}
 Examples:
 TRACK_APP_SECRET=<generated-64-char-hex>
 AUTH_KC_ADMIN_PASSWORD=<generated-32-char-password>
 DB_PASSWORD=<generated-32-char-password>
 ```
 ### Shared Variables (in root .env)
 ```
 DB_USER=valknar
 DB_HOST=postgres
 DB_PORT=5432
 ADMIN_EMAIL=admin@example.com
 NETWORK_NAME=kompose
 ```
 ## Example Stack Configurations
 ### Example 1: Track Stack (Umami)
 **Root .env:**
 ```bash
 TRACK_TRAEFIK_ENABLED=true
 TRACK_TRAEFIK_HOST=umami.pivoine.art
 TRACK_DB_NAME=umami
 TRACK_DOCKER_IMAGE=ghcr.io/umami-software/umami:postgresql-latest
 ```
 **secrets.env.template:**
 ```bash
 TRACK_APP_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
 ```
 **track/compose.yaml:**
 ```yaml
 services:
  umami:
    image: ${TRACK_DOCKER_IMAGE}
    environment:
      DATABASE_URL: postgresql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${TRACK_DB_NAME}
      APP_SECRET: ${TRACK_APP_SECRET}
    labels:
      - 'traefik.enable=${TRACK_TRAEFIK_ENABLED}'
      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.rule=Host(`${TRACK_TRAEFIK_HOST}`)'
 ```
 ### Example 2: Auth Stack (Keycloak)
 **Root .env:**
 ```bash
 AUTH_TRAEFIK_ENABLED=true
 AUTH_TRAEFIK_HOST=auth.pivoine.art
 AUTH_DB_NAME=keycloak
 AUTH_DOCKER_IMAGE=quay.io/keycloak/keycloak:latest
 ```
 **secrets.env.template:**
 ```bash
 AUTH_KC_ADMIN_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE
 ```
 **auth/compose.yaml:**
 ```yaml
 services:
  keycloak:
    image: ${AUTH_DOCKER_IMAGE}
    environment:
      KC_DB_URL: jdbc:postgresql://${DB_HOST}:${DB_PORT}/${AUTH_DB_NAME}
      KC_BOOTSTRAP_ADMIN_PASSWORD: ${AUTH_KC_ADMIN_PASSWORD}
    labels:
      - 'traefik.enable=${AUTH_TRAEFIK_ENABLED}'
      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.rule=Host(`${AUTH_TRAEFIK_HOST}`)'
 ```
 ## Traefik Control
 Every service now has a `${STACK}_TRAEFIK_ENABLED` variable that controls whether Traefik routes to it:
 ```yaml
 labels:
  - 'traefik.enable=${TRACK_TRAEFIK_ENABLED}'  # true or false
 ```
 To disable Traefik for a stack, simply set it to `false` in the root `.env`:
 ```bash
 TRACK_TRAEFIK_ENABLED=false
 ```
 ## Secret Generation Patterns
 The `--generate-secrets` command generates different types of secrets based on variable naming:
 | Variable Pattern | Generated Secret Type | Length | Example |
 |-----------------|----------------------|--------|---------|
 | `*_PASSWORD` | Alphanumeric password | 32 chars | `DB_PASSWORD`, `ADMIN_PASSWORD` |
 | `*_SECRET`, `*_ENCRYPTION_KEY` | Hex string | 64 chars (32 bytes) | `TRACK_APP_SECRET`, `N8N_ENCRYPTION_KEY` |
 | `*_TOKEN` | Alphanumeric token | 40 chars | `GITEA_RUNNER_TOKEN` |
 | `*_HASH` | Hex hash | 64 chars (32 bytes) | `PASSWORD_HASH` |
 | Default | Alphanumeric | 32 chars | Any other variable |
 ## Security Best Practices
 ### ✅ DO:
 - Keep `secrets.env` in `.gitignore`
 - Use the provided `secrets.env.template` as reference
 - Regenerate secrets when setting up new environments
 - Use stack-scoped variable names
 - Store secrets in `secrets.env` only
 ### ❌ DON'T:
 - Commit `secrets.env` to git
 - Hard-code secrets in compose files
 - Share secrets in plain text (use password managers)
 - Use the same secrets across environments
 - Store configuration in stack `.env` files anymore
 ## Quick Reference
 ### Generate secrets:
 ```bash
 ./kompose.sh --generate-secrets
 ```
 ### Start all stacks:
 ```bash
 ./kompose.sh "*" up -d
 ```
 ### View help:
 ```bash
 ./kompose.sh --help
 ```
 ### List stacks:
 ```bash
 ./kompose.sh --list
 ```
 ## Troubleshooting
 ### "Secrets file not found"
 Run: `./kompose.sh --generate-secrets`
 ### "Variable not set" errors
 Make sure you've:
 1. Updated root `.env` with stack-scoped variables
 2. Generated `secrets.env`
 3. Updated compose files to use new variable names
 ### Need to regenerate a single secret?
 Edit `secrets.env` directly and replace the value, or regenerate all secrets (old secrets will be backed up).
 ## Example Complete Setup
 See the `.new` files in `track/` and `auth/` directories for complete examples of the new structure.
 To apply them:
 ```bash
 cd track
 mv compose.yaml.new compose.yaml
 mv .env.new .env
 cd ../auth
 mv compose.yaml.new compose.yaml
 mv .env.new .env
 ```
 Then regenerate your secrets:
 ```bash
 ./kompose.sh --generate-secrets
 ```
--- a/Projects/kompose/auth/.env.new
+++ b/Projects/kompose/auth/.env.new
@@ -0,0 +1,6 @@
 # Stack identification
 COMPOSE_PROJECT_NAME=auth
 # Note: All configuration variables are now in the root .env file
 # with AUTH_ prefix (e.g., AUTH_TRAEFIK_HOST, AUTH_DOCKER_IMAGE, AUTH_DB_NAME)
 # All secrets are in secrets.env (e.g., AUTH_KC_ADMIN_PASSWORD)
--- a/Projects/kompose/auth/compose.yaml.new
+++ b/Projects/kompose/auth/compose.yaml.new
@@ -0,0 +1,41 @@
 name: auth
 services:
  keycloak:
    image: ${AUTH_DOCKER_IMAGE}
    container_name: ${COMPOSE_PROJECT_NAME}_keycloak
    restart: unless-stopped
    environment:
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://${DB_HOST}:${DB_PORT}/${AUTH_DB_NAME}
      KC_DB_USERNAME: ${DB_USER}
      KC_DB_PASSWORD: ${DB_PASSWORD}
      KC_DB_SCHEMA: public
      KC_HOSTNAME: https://${AUTH_TRAEFIK_HOST}
      KC_HTTP_ENABLED: true
      HTTP_ADDRESS_FORWARDING: true
      KC_BOOTSTRAP_ADMIN_USERNAME: admin
      KC_BOOTSTRAP_ADMIN_PASSWORD: ${AUTH_KC_ADMIN_PASSWORD}
      KC_PROXY: edge
      KC_FEATURES: docker
    command: start
    networks:
      - kompose_network
    labels:
      - 'traefik.enable=${AUTH_TRAEFIK_ENABLED}'
      - 'traefik.http.middlewares.${COMPOSE_PROJECT_NAME}-redirect-web-secure.redirectscheme.scheme=https'
      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.middlewares=${COMPOSE_PROJECT_NAME}-redirect-web-secure'
      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.rule=Host(`${AUTH_TRAEFIK_HOST}`)'
      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.entrypoints=web'
      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web-secure.rule=Host(`${AUTH_TRAEFIK_HOST}`)'
      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver'
      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure'
      - 'traefik.http.middlewares.${COMPOSE_PROJECT_NAME}-web-secure-compress.compress=true'
      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web-secure.middlewares=${COMPOSE_PROJECT_NAME}-web-secure-compress'
      - 'traefik.http.services.${COMPOSE_PROJECT_NAME}-web-secure.loadbalancer.server.port=8080'
      - 'traefik.docker.network=${NETWORK_NAME:-kompose}'
 networks:
  kompose_network:
    name: ${NETWORK_NAME:-kompose}
    external: true
--- a/Projects/kompose/secrets.env.template
+++ b/Projects/kompose/secrets.env.template
@@ -0,0 +1,51 @@
 # ===================================================================
 # KOMPOSE - Secrets Configuration
 # ===================================================================
 # This file contains SENSITIVE data and should NOT be committed to git.
 # Add secrets.env to your .gitignore file!
 #
 # Generate random secrets with: ./kompose.sh --generate-secrets
 # ===================================================================
 # -------------------------------------------------------------------
 # Database Passwords (Shared)
 # -------------------------------------------------------------------
 DB_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE
 # -------------------------------------------------------------------
 # Admin Passwords
 # -------------------------------------------------------------------
 ADMIN_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE
 # -------------------------------------------------------------------
 # Email/SMTP Passwords
 # -------------------------------------------------------------------
 EMAIL_SMTP_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE
 # -------------------------------------------------------------------
 # AUTH Stack Secrets (Keycloak)
 # -------------------------------------------------------------------
 AUTH_KC_ADMIN_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE
 # -------------------------------------------------------------------
 # TRACK Stack Secrets (Umami)
 # -------------------------------------------------------------------
 # APP_SECRET for Umami (64 character hex string)
 TRACK_APP_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
 # -------------------------------------------------------------------
 # Add more stack secrets below (scope them with stack name)
 # -------------------------------------------------------------------
 # BLOG_SECRET_KEY=CHANGE_ME_GENERATE_WITH_KOMPOSE
 # CHAT_ENCRYPTION_KEY=CHANGE_ME_GENERATE_WITH_KOMPOSE
 # DATA_DIRECTUS_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
 # CODE_GITEA_RUNNER_TOKEN=CHANGE_ME_GENERATE_WITH_KOMPOSE
 # etc...
 # Example secrets from your current .env that should be scoped:
 # GITEA_RUNNER_REGISTRATION_TOKEN=CHANGE_ME_GENERATE_WITH_KOMPOSE
 # NEXTAUTH_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
 # JWT_TOKEN=CHANGE_ME_GENERATE_WITH_KOMPOSE
 # N8N_ENCRYPTION_KEY=CHANGE_ME_GENERATE_WITH_KOMPOSE
 # DIRECTUS_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
 # PASSWORD_HASH=CHANGE_ME_GENERATE_WITH_KOMPOSE
--- a/Projects/kompose/track/.env.new
+++ b/Projects/kompose/track/.env.new
@@ -0,0 +1,6 @@
 # Stack identification
 COMPOSE_PROJECT_NAME=track
 # Note: All configuration variables are now in the root .env file
 # with TRACK_ prefix (e.g., TRACK_TRAEFIK_HOST, TRACK_DOCKER_IMAGE)
 # All secrets are in secrets.env (e.g., TRACK_APP_SECRET)
--- a/Projects/kompose/track/compose.yaml.new
+++ b/Projects/kompose/track/compose.yaml.new
@@ -0,0 +1,37 @@
 name: track
 services:
  umami:
    image: ${TRACK_DOCKER_IMAGE}
    container_name: ${COMPOSE_PROJECT_NAME}_app
    restart: unless-stopped
    environment:
      DATABASE_URL: postgresql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${TRACK_DB_NAME}
      DATABASE_TYPE: postgresql
      APP_SECRET: ${TRACK_APP_SECRET}
    networks:
      - kompose_network
    healthcheck:
      test: ["CMD-SHELL", "curl -f http://localhost:3000/api/heartbeat || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 5
      start_period: 40s
    labels:
      - 'traefik.enable=${TRACK_TRAEFIK_ENABLED}'
      - 'traefik.http.middlewares.${COMPOSE_PROJECT_NAME}-redirect-web-secure.redirectscheme.scheme=https'
      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.middlewares=${COMPOSE_PROJECT_NAME}-redirect-web-secure'
      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.rule=Host(`${TRACK_TRAEFIK_HOST}`)'
      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web.entrypoints=web'
      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web-secure.rule=Host(`${TRACK_TRAEFIK_HOST}`)'
      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver'
      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure'
      - 'traefik.http.middlewares.${COMPOSE_PROJECT_NAME}-web-secure-compress.compress=true'
      - 'traefik.http.routers.${COMPOSE_PROJECT_NAME}-web-secure.middlewares=${COMPOSE_PROJECT_NAME}-web-secure-compress'
      - 'traefik.http.services.${COMPOSE_PROJECT_NAME}-web-secure.loadbalancer.server.port=3000'
      - 'traefik.docker.network=${NETWORK_NAME:-kompose}'
 networks:
  kompose_network:
    name: ${NETWORK_NAME:-kompose}
    external: true