feat: Add realesrgan-api service to API stack

Traefik routes api.pivoine.art/freepik and /facefusion to their
respective containers with path rewriting, shared API token auth
via an nginx sidecar, and api-rate-limit middleware.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitignore

@@ -1,3 +1,4 @@
 .claude
 .env
-*.sql
+*.sql
+*.log

README.md

@@ -20,6 +20,12 @@ Each stack is independently deployable with its own `compose.yml` and `.env`. Al
 | `sexy` | pivoine.art website | directus, frontend, redis, db |
 | `vaultwarden` | Password manager | vaultwarden |
 
+## Tools
+
+| Directory | Description |
+|---|---|
+| `_backup` | Daily restic backups to HiDrive (host script + systemd timer) |
+
 ## Deployment
 
 ```bash
@@ -34,6 +40,32 @@ ssh vps 'cd ~/stacks/<stack> && docker compose up -d'
 
 All stacks share the external `falcon_network` Docker network for inter-service communication (e.g. traefik routing, mailpit SMTP).
 
+## Backup
+
+The `_backup` stack runs a daily restic backup at 3:00 AM. It dumps all Postgres databases, then backs up the entire `.data/` directory to HiDrive. Retention: 7 daily, 4 weekly, 6 monthly snapshots. Notifications go to Mattermost.
+
+```bash
+# Deploy backup stack
+rsync -avz _backup/ vps:~/stacks/_backup/
+
+# Initialize restic repo (first time only)
+ssh vps 'source ~/stacks/_backup/.env && restic init -r /mnt/hidrive/users/valknar/Backup/stacks'
+
+# Install systemd units
+ssh vps 'ln -sf ~/stacks/_backup/stacks-backup.service /etc/systemd/system/ && \
+         ln -sf ~/stacks/_backup/stacks-backup.timer /etc/systemd/system/ && \
+         systemctl daemon-reload && systemctl enable --now stacks-backup.timer'
+
+# Manual test run
+ssh vps '~/stacks/_backup/backup.sh'
+
+# Check timer status
+ssh vps 'systemctl status stacks-backup.timer'
+
+# View snapshots
+ssh vps 'source ~/stacks/_backup/.env && restic -r /mnt/hidrive/users/valknar/Backup/stacks snapshots'
+```
+
 ## Data
 
 Persistent data is stored in `~/stacks/.data/<stack>/` on the VPS using bind mounts. Database stacks use dedicated Postgres instances with simple credentials.

_backup/backup.sh

@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+STACKS_DIR="$(dirname "$SCRIPT_DIR")"
+DATA_DIR="$STACKS_DIR/.data"
+DUMP_DIR="$DATA_DIR/backup/dumps"
+LOG_FILE="$SCRIPT_DIR/backup.log"
+
+# Load environment
+set -a
+source "$SCRIPT_DIR/.env"
+set +a
+
+export RESTIC_REPOSITORY RESTIC_PASSWORD
+
+log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$LOG_FILE"; }
+
+notify() {
+  local color="$1" text="$2"
+  curl -sf -o /dev/null -X POST "$MATTERMOST_WEBHOOK" \
+    -H 'Content-Type: application/json' \
+    -d "{\"attachments\":[{\"color\":\"$color\",\"text\":\"$text\"}]}"
+}
+
+# Truncate log on each run
+: > "$LOG_FILE"
+
+log "Starting backup"
+
+# --- Postgres dumps ---
+mkdir -p "$DUMP_DIR"
+
+declare -A DATABASES=(
+  [umami_db]="umami:umami"
+  [joplin_db]="joplin:joplin"
+  [gitea_db]="gitea:gitea"
+  [mattermost_db]="mattermost:mattermost"
+  [sexy_db]="directus:directus"
+  [immich_db]="immich:immich"
+  [coolify_db]="coolify:coolify"
+)
+
+dump_errors=()
+for container in "${!DATABASES[@]}"; do
+  IFS=: read -r user db <<< "${DATABASES[$container]}"
+  log "Dumping $db from $container"
+  if docker exec "$container" pg_dump -U "$user" "$db" > "$DUMP_DIR/$db.sql" 2>>"$LOG_FILE"; then
+    log "  OK ($(du -h "$DUMP_DIR/$db.sql" | cut -f1))"
+  else
+    log "  FAILED: $container"
+    dump_errors+=("$db")
+  fi
+done
+
+if [ ${#dump_errors[@]} -gt 0 ]; then
+  log "WARNING: Failed dumps: ${dump_errors[*]}"
+fi
+
+# --- Restic backup ---
+log "Running restic backup"
+if ! restic backup "$DATA_DIR" --tag stacks 2>&1 | tee -a "$LOG_FILE"; then
+  log "FATAL: restic backup failed"
+  notify "#cc0000" ":x: **Backup failed** — restic backup error. Check \`$LOG_FILE\`."
+  exit 1
+fi
+
+# --- Restic prune ---
+log "Pruning old snapshots"
+if ! restic forget --prune --keep-daily 7 --keep-weekly 4 --keep-monthly 6 2>&1 | tee -a "$LOG_FILE"; then
+  log "WARNING: restic forget failed"
+fi
+
+# --- Summary ---
+snapshot_info=$(restic snapshots --latest 1 --compact 2>/dev/null | tail -3 | head -1)
+repo_stats=$(restic stats 2>/dev/null | grep "Total Size" || true)
+
+summary=":white_check_mark: **Backup complete**"
+[ ${#dump_errors[@]} -gt 0 ] && summary+="\n:warning: Failed dumps: ${dump_errors[*]}"
+summary+="\nLatest: \`$snapshot_info\`"
+[ -n "$repo_stats" ] && summary+="\nRepo: $repo_stats"
+
+notify "#36a64f" "$summary"
+log "Backup complete"

_backup/stacks-backup.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Backup stacks data to HiDrive via restic
+After=network-online.target docker.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/root/stacks/_backup/backup.sh
+Environment=HOME=/root

_backup/stacks-backup.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Daily stacks backup at 3:00 AM
+
+[Timer]
+OnCalendar=*-*-* 03:00:00 Europe/Amsterdam
+Persistent=true
+
+[Install]
+WantedBy=timers.target

api/auth.conf.template

@@ -0,0 +1,9 @@
+server {
+    listen 8080;
+    location / {
+        if ($http_x_api_key != '${API_TOKEN}') {
+            return 401;
+        }
+        return 200;
+    }
+}

api/compose.yml

@@ -0,0 +1,103 @@
+services:
+  auth:
+    image: nginx:alpine
+    container_name: api_auth
+    volumes:
+      - ./auth.conf.template:/etc/nginx/templates/default.conf.template:ro
+    environment:
+      - API_TOKEN=${API_TOKEN}
+    restart: always
+    networks:
+      - compose_network
+
+  freepik:
+    image: dev.pivoine.art/valknar/freepik-api:latest
+    container_name: api_freepik
+    environment:
+      - FP_FREEPIK_API_KEY=${FP_FREEPIK_API_KEY}
+      - FP_WEBHOOK_SECRET=${FP_WEBHOOK_SECRET}
+    volumes:
+      - ../.data/api/freepik/outputs:/app/outputs
+      - ../.data/api/freepik/temp:/app/temp
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.api-redirect-web-secure.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.api-auth.forwardauth.address=http://api_auth:8080"
+      - "traefik.http.middlewares.api-freepik-strip.stripprefix.prefixes=/freepik"
+      - "traefik.http.middlewares.api-freepik-addprefix.addprefix.prefix=/api/v1"
+      - "traefik.http.routers.api-freepik-web.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/freepik`)"
+      - "traefik.http.routers.api-freepik-web.entrypoints=web"
+      - "traefik.http.routers.api-freepik-web.middlewares=api-redirect-web-secure"
+      - "traefik.http.routers.api-freepik-web-secure.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/freepik`)"
+      - "traefik.http.routers.api-freepik-web-secure.entrypoints=web-secure"
+      - "traefik.http.routers.api-freepik-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.api-freepik-web-secure.middlewares=api-auth,api-freepik-strip,api-freepik-addprefix,api-rate-limit@file"
+      - "traefik.http.services.api-freepik-web-secure.loadbalancer.server.port=8000"
+      - "traefik.docker.network=${NETWORK_NAME}"
+      - "com.centurylinklabs.watchtower.enable=true"
+    networks:
+      - compose_network
+
+  facefusion:
+    image: dev.pivoine.art/valknar/facefusion-api:latest
+    container_name: api_facefusion
+    environment:
+      - FF_EXECUTION_PROVIDERS=["cpu"]
+    volumes:
+      - ../.data/api/facefusion/uploads:/app/uploads
+      - ../.data/api/facefusion/outputs:/app/outputs
+      - ../.data/api/facefusion/models:/app/models
+      - ../.data/api/facefusion/temp:/app/temp
+      - ../.data/api/facefusion/jobs:/app/jobs
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.api-facefusion-strip.stripprefix.prefixes=/facefusion"
+      - "traefik.http.middlewares.api-facefusion-addprefix.addprefix.prefix=/api/v1"
+      - "traefik.http.routers.api-facefusion-web.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/facefusion`)"
+      - "traefik.http.routers.api-facefusion-web.entrypoints=web"
+      - "traefik.http.routers.api-facefusion-web.middlewares=api-redirect-web-secure"
+      - "traefik.http.routers.api-facefusion-web-secure.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/facefusion`)"
+      - "traefik.http.routers.api-facefusion-web-secure.entrypoints=web-secure"
+      - "traefik.http.routers.api-facefusion-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.api-facefusion-web-secure.middlewares=api-auth,api-facefusion-strip,api-facefusion-addprefix,api-rate-limit@file"
+      - "traefik.http.services.api-facefusion-web-secure.loadbalancer.server.port=8000"
+      - "traefik.docker.network=${NETWORK_NAME}"
+      - "com.centurylinklabs.watchtower.enable=true"
+    networks:
+      - compose_network
+
+  realesrgan:
+    image: dev.pivoine.art/valknar/realesrgan-api:latest-cpu
+    container_name: api_realesrgan
+    environment:
+      - RSR_EXECUTION_PROVIDERS=["cpu"]
+    volumes:
+      - ../.data/api/realesrgan/uploads:/data/uploads
+      - ../.data/api/realesrgan/outputs:/data/outputs
+      - ../.data/api/realesrgan/models:/data/models
+      - ../.data/api/realesrgan/temp:/data/temp
+      - ../.data/api/realesrgan/jobs:/data/jobs
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.api-realesrgan-strip.stripprefix.prefixes=/realesrgan"
+      - "traefik.http.middlewares.api-realesrgan-addprefix.addprefix.prefix=/api/v1"
+      - "traefik.http.routers.api-realesrgan-web.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/realesrgan`)"
+      - "traefik.http.routers.api-realesrgan-web.entrypoints=web"
+      - "traefik.http.routers.api-realesrgan-web.middlewares=api-redirect-web-secure"
+      - "traefik.http.routers.api-realesrgan-web-secure.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/realesrgan`)"
+      - "traefik.http.routers.api-realesrgan-web-secure.entrypoints=web-secure"
+      - "traefik.http.routers.api-realesrgan-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.api-realesrgan-web-secure.middlewares=api-auth,api-realesrgan-strip,api-realesrgan-addprefix,api-rate-limit@file"
+      - "traefik.http.services.api-realesrgan-web-secure.loadbalancer.server.port=8000"
+      - "traefik.docker.network=${NETWORK_NAME}"
+      - "com.centurylinklabs.watchtower.enable=true"
+    networks:
+      - compose_network
+
+networks:
+  compose_network:
+    name: ${NETWORK_NAME}
+    external: true

sexy/compose.yml

@@ -47,6 +47,7 @@ services:
       CACHE_AUTO_PURGE: "true"
       CACHE_STORE: redis
       REDIS: redis://sexy_redis:6379
+      ASSETS_CACHE_TTL: "31536000"
       WEBSOCKETS_ENABLED: "true"
       PUBLIC_URL: https://${TRAEFIK_HOST}/api
       CORS_ENABLED: "true"

umami/compose.yml

@@ -1,11 +1,11 @@
 ---
 services:
   umami:
-    image: ghcr.io/umami-software/umami:latest
+    image: ghcr.io/umami-software/umami:postgresql-latest
     container_name: umami
     environment:
       TZ: ${TIMEZONE:-Europe/Amsterdam}
-      DATABASE_URL: postgresql://umami:umami@db:5432/umami
+      DATABASE_URL: postgresql://umami:umami@umami_db:5432/umami
       APP_SECRET: ${APP_SECRET}
     depends_on:
       db:

vaultwarden/compose.yml

@@ -11,6 +11,7 @@ services:
       INVITATIONS_ALLOWED: "true"
       SHOW_PASSWORD_HINT: "false"
       SMTP_HOST: mailpit
+      SMTP_FROM: ${SMTP_FROM}
       SMTP_FROM_NAME: Vaultwarden
       SMTP_SECURITY: off
       SMTP_PORT: 1025