Merge branch 'main' into authentik

.github/pull_request_template.md

@@ -1,12 +1,5 @@
 ### Pull Request
 
-*Please write all text in English in order to facilitate communication and collaboration, and follow this checklist. It will help the contributors to review your PR. Thank you!*
-
-- [ ] My pull request has a descriptive title. (unlike `Update index.md`). Check [this](https://www.conventionalcommits.org/en/v1.0.0/) guide regarding titles.
-- [ ] If applicable, I have tested these changes locally.
-
-*If your pull request closes a GitHub issue, replace the XXXXX below with the issue number.*
-
-Closes #XXXXX
+*Please write all text in English in order to facilitate communication and collaboration. Thank you!*
 
 ---

.gitignore

@@ -1,4 +1,7 @@
-.obsidian
+# Ignore local development files
 **/.vscode
-**/.env
 **/.DS_Store
+
+# Docker Secrets, Environment Files
+**/secret.*
+**/.env

docker-compose/ansiblesemaphore/docker-compose.yaml

@@ -4,7 +4,7 @@ volumes:
     driver: local
 services:
   mysql:
-    image: mysql:8.0
+    image: mysql:8.3
     hostname: mysql
     volumes:
       - semaphore-mysql:/var/lib/mysql
@@ -16,7 +16,7 @@ services:
     restart: unless-stopped
   semaphore:
     container_name: ansiblesemaphore
-    image: semaphoreui/semaphore:v2.9.45
+    image: semaphoreui/semaphore:v2.9.58
     user: "${UID}:${GID}"
     ports:
       - 3000:3000

docker-compose/cadvisor/docker-compose.yaml

@@ -1,17 +1,17 @@
----
-services:
-  cadvisor:
-    image: gcr.io/cadvisor/cadvisor:v0.47.0     
-    container_name: cadvisor
-    ports:
-      - 8080:8080
-    volumes:
-      - /:/rootfs:ro
-      - /var/run:/var/run:ro
-      - /sys:/sys:ro
-      - /var/lib/docker/:/var/lib/docker:ro
-      - /dev/disk/:/dev/disk:ro
-    devices:
-      - /dev/kmsg
-    privileged: true
-    restart: unless-stopped
+---
+services:
+  cadvisor:
+    image: gcr.io/cadvisor/cadvisor:v0.49.1
+    container_name: cadvisor
+    ports:
+      - 8080:8080
+    volumes:
+      - /:/rootfs:ro
+      - /var/run:/var/run:ro
+      - /sys:/sys:ro
+      - /var/lib/docker/:/var/lib/docker:ro
+      - /dev/disk/:/dev/disk:ro
+    devices:
+      - /dev/kmsg
+    privileged: true
+    restart: unless-stopped

docker-compose/grafana/docker-compose.yaml

@@ -4,7 +4,7 @@ volumes:
     driver: local
 services:
   grafana:
-    image: grafana/grafana-oss:10.3.3
+    image: docker.io/grafana/grafana-oss:10.4.1
     container_name: grafana
     ports:
       - "3000:3000"

docker-compose/heimdall/docker-compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
   heimdall:
-    image: lscr.io/linuxserver/heimdall:2.6.1
+    image: lscr.io/linuxserver/heimdall:2021.11.28
     container_name: heimdall
     environment:
       - PUID=1000

docker-compose/homeassistant/docker-compose.yaml

@@ -2,10 +2,11 @@
 services:
   homeassistant:
     container_name: homeassistant
-    image: "ghcr.io/home-assistant/home-assistant:2023.6"
+    image: ghcr.io/home-assistant/home-assistant:2024.3.3
     volumes:
       - ./config:/config
       - /etc/localtime:/etc/localtime:ro
+      - /run/dbus:/run/dbus:ro
     # devices:
     #   - /dev/ttyACMO  # (optional) Add serial devices to the container
     privileged: true

docker-compose/homepage/docker-compose.yaml

@@ -0,0 +1,33 @@
+---
+services:
+  homepage:
+    image: ghcr.io/gethomepage/homepage::v0.8.9
+    container_name: homepage
+    environment:
+      - LOG_LEVEL=info
+    # (Optional) Run as a specific user
+    #   - PUID=your-user-id
+    #   - PGID=your-group-id
+    # (Optional) For secret variables
+    #   - HOMEPAGE_VAR_YOURSECRET=your-secret-key
+    ports:
+      - 3000:3000
+    volumes:
+      - ./config:/app/config
+      - ./images:/app/images  # for custom background images
+      - ./icons:/app/icons  # for custom icons
+    restart: unless-stopped
+  # (Optional) For secure docker socket integration
+  # dockerproxy:
+  #   image: ghcr.io/tecnativa/docker-socket-proxy:v0.1.1
+  #   container_name: homepage-demo-1-dockerproxy
+  #   environment:
+  #     - CONTAINERS=1 # Allow access to viewing containers
+  #     - SERVICES=1 # Allow access to viewing services (necessary when using Docker Swarm)
+  #     - TASKS=1 # Allow access to viewing tasks (necessary when using Docker Swarm)
+  #     - POST=0 # Disallow any POST operations (effectively read-only)
+  #   ports:
+  #     - 127.0.0.1:2375:2375
+  #   volumes:
+  #     - /var/run/docker.sock:/var/run/docker.sock:ro # Mounted as read-only
+  #   restart: unless-stopped

docker-compose/nextcloud/docker-compose.yaml

@@ -19,7 +19,7 @@ services:
   nextcloud-db:
     # See compatibility matrix for Nextcloud 28
     # https://docs.nextcloud.com/server/28/admin_manual/installation/system_requirements.html
-    image: docker.io/library/mariadb:10.6.17
+    image: docker.io/library/mariadb:11.3.2
     container_name: nextcloud-db
     command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
     volumes:

docker-compose/nginxproxymanager/docker-compose.yaml

@@ -5,7 +5,7 @@ volumes:
   nginxproxymanager-db:
 services:
   nginxproxymanager:
-    image: jc21/nginx-proxy-manager:2.10.3
+    image: docker.io/jc21/nginx-proxy-manager:2.11.1
     ports:
       - 80:80
       - 81:81
@@ -20,7 +20,7 @@ services:
       - nginxproxymanager-data:/data
       - nginxproxymanager-ssl:/etc/letsencrypt
   nginxproxymanager-db:
-    image: jc21/mariadb-aria:10.4.15
+    image: jc21/mariadb-aria:10.11.5
     environment:
       - MYSQL_ROOT_PASSWORD=npm
       - MYSQL_DATABASE=npm

docker-compose/nodeexporter/docker-compose.yaml

@@ -1,10 +1,10 @@
----
-services:
-  node_exporter:
-    image: quay.io/prometheus/node-exporter:v1.5.0
-    container_name: node_exporter
-    command: "--path.rootfs=/host"
-    pid: host
-    restart: unless-stopped
-    volumes:
+---
+services:
+  node_exporter:
+    image: quay.io/prometheus/node-exporter:v1.7.0
+    container_name: node_exporter
+    command: "--path.rootfs=/host"
+    pid: host
+    restart: unless-stopped
+    volumes:
       - /:/host:ro,rslave

docker-compose/nvidiasmi/docker-compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
   nvidia_smi_exporter:
-    image: utkuozdemir/nvidia_gpu_exporter:0.3.0
+    image: utkuozdemir/nvidia_gpu_exporter:1.2.0
     container_name: nvidia_smi_exporter
     runtime: nvidia
     environment:

docker-compose/passbolt/docker-compose.yaml

@@ -6,7 +6,7 @@ volumes:
 services:
   passbolt-db:
     container_name: passbolt-db
-    image: mariadb:10.3
+    image: mariadb:11.3
     environment:
       - MYSQL_RANDOM_ROOT_PASSWORD=true
       - MYSQL_DATABASE=$PASSBOLT_DB_NAME

docker-compose/postgres/docker-compose.yaml

@@ -0,0 +1,45 @@
+---
+services:
+  postgres:
+    image: postgres:16.2
+    container_name: postgres
+    environment:
+      - POSTGRES_INITDB_ARGS=${POSTGRES_INITDB_ARGS---data-checksums}
+      - POSTGRES_HOST_AUTH_METHOD=${POSTGRES_HOST_AUTH_METHOD-}
+      - POSTGRES_USER=${POSTGRES_USER:-postgres}
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
+      - POSTGRES_DB=${POSTGRES_DB:-$POSTGRES_USER}
+      - TZ=${TZ:-UTC}
+    ports:
+      - 5432:5432
+    healthcheck:
+      test: ['CMD-SHELL', 'pg_isready -U "${POSTGRES_USER:-postgres}"']
+      start_period: 30s
+      interval: 10s
+      timeout: 10s
+      retries: 5
+    # (Optional)  When using custom network, see also
+    #             https://docs.docker.com/compose/compose-file/compose-file-v3/#networks
+    #
+    # networks:
+    #   - yournetwork
+    secrets:
+      - postgres_password
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    restart: unless-stopped
+
+# (Optional)  When using custom network, see also
+#             https://docs.docker.com/compose/compose-file/compose-file-v3/#network-configuration-reference
+#
+# networks:
+#   yournetwork:
+#     external: true
+
+secrets:
+  postgres_password:
+    file: secret.postgres_password.txt
+
+volumes:
+  postgres_data:
+    driver: local

docker-compose/prometheus/config/prometheus.yml

@@ -1,27 +1,27 @@
-global:
-  scrape_interval:     15s # By default, scrape targets every 15 seconds.
-
-  # Attach these labels to any time series or alerts when communicating with
-  # external systems (federation, remote storage, Alertmanager).
-  # external_labels:
-  #  monitor: 'codelab-monitor'
-
-# A scrape configuration containing exactly one endpoint to scrape:
-# Here it's Prometheus itself.
-scrape_configs:
-  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
-  - job_name: 'prometheus'
-    # Override the global default and scrape targets from this job every 5 seconds.
-    scrape_interval: 5s
-    static_configs:
-      - targets: ['localhost:9090']
-
-  # Example job for node_exporter
-  # - job_name: 'node_exporter'
-  #   static_configs:
-  #     - targets: ['node_exporter:9100']
-
-  # Example job for cadvisor
-  # - job_name: 'cadvisor'
-  #   static_configs:
-  #     - targets: ['cadvisor:8080']
+global:
+  scrape_interval:     15s # By default, scrape targets every 15 seconds.
+
+  # Attach these labels to any time series or alerts when communicating with
+  # external systems (federation, remote storage, Alertmanager).
+  # external_labels:
+  #  monitor: 'codelab-monitor'
+
+# A scrape configuration containing exactly one endpoint to scrape:
+# Here it's Prometheus itself.
+scrape_configs:
+  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
+  - job_name: 'prometheus'
+    # Override the global default and scrape targets from this job every 5 seconds.
+    scrape_interval: 5s
+    static_configs:
+      - targets: ['localhost:9090']
+
+  # Example job for node_exporter
+  # - job_name: 'node_exporter'
+  #   static_configs:
+  #     - targets: ['node_exporter:9100']
+
+  # Example job for cadvisor
+  # - job_name: 'cadvisor'
+  #   static_configs:
+  #     - targets: ['cadvisor:8080']

docker-compose/prometheus/docker-compose.yaml

@@ -4,7 +4,7 @@ volumes:
     driver: local
 services:
   prometheus:
-    image: prom/prometheus:v2.50.1
+    image: prom/prometheus:v2.51.0
     container_name: prometheus
     ports:
       - 9090:9090

docker-compose/teleport/docker-compose.yaml

@@ -5,7 +5,7 @@
 #     external: true
 services:
   teleport:
-    image: public.ecr.aws/gravitational/teleport-distroless:13
+    image: public.ecr.aws/gravitational/teleport-distroless:15
     container_name: teleport
     ports:
       # -- (Optional) Remove this section, when using Traefik

docker-compose/traefik/config/conf/example-externalservice.yaml

@@ -0,0 +1,16 @@
+http:
+  routers:
+    your-local-router:
+      rule: "Host(`your-local-service.your-domain.com`) && PathPrefix(`/`)"
+      service: your-local-service
+      priority: 1000
+      entryPoints:
+        - web
+        # (optional) Permanent Redirect to HTTPS
+        # - websecure
+
+  services:
+    your-local-service:
+      loadBalancer:
+        servers:
+          - url: "http://your-local-service:port"

kubernetes/traefik/values.yml

@@ -84,7 +84,7 @@ deployment:
     # The "volume-permissions" init container is required if you run into permission issues.
     # Related issue: https://github.com/containous/traefik/issues/6972
     - name: volume-permissions
-      image: busybox:1.31.1
+      image: busybox:1.36.1
       command: ["sh", "-c", "chmod -Rv 600 /ssl-certs/*"]
       volumeMounts:
         - name: ssl-certs

renovate.json

@@ -0,0 +1,19 @@
+ {
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "labels": ["renovate"],
+  "packageRules": [
+    {
+      "depTypeList": [ "devDependencies", "require-dev" ],
+      "updateTypes": [ "patch", "minor", "digest"],
+      "groupName": "devDependencies (non-major)"
+    }
+  ],
+  "extends": [
+    "config:base",
+    ":preserveSemverRanges",
+    ":dependencyDashboard",
+    ":rebaseStalePrs",
+    ":enableVulnerabilityAlertsWithLabel('security')",
+    "group:recommended"
+  ]
+}

terraform/cloudflare/provider.tf

@@ -8,7 +8,7 @@ terraform {
   required_providers {
     cloudflare = {
       source = "cloudflare/cloudflare"
-      version = "~> 3.0"
+      version = "~> 4.0"
     }
   }
 }

terraform/kubectl/provider.tf

@@ -9,7 +9,7 @@ terraform {
     required_providers {
         kubectl = {
             source = "gavinbunney/kubectl"
-            version = "1.13.1"
+            version = "1.14.0"
         }
     }
 }

terraform/kubernetes/provider.tf

@@ -9,7 +9,7 @@ terraform {
     required_providers {
         kubernetes = {
             source = "hashicorp/kubernetes"
-            version = "2.8.0"     
+            version = "2.27.0"     
         }
     }
 }

terraform/templates/cloud-deployment-example/main.tf

@@ -5,7 +5,7 @@ terraform {
   required_providers {
     cloudflare = {
         source = "cloudflare/cloudflare"
-        version = "~> 3.0"
+        version = "~> 4.0"
     }
     civo = {
         source = "civo/civo"

terraform/templates/kubernetes-automation-example/provider.tf

@@ -9,19 +9,19 @@ terraform {
         }
         helm = {
             source = "hashicorp/helm"
-            version = "2.4.1"
+            version = "2.12.1"
         }
         kubernetes = {
             source = "hashicorp/kubernetes"
-            version = "2.8.0"     
+            version = "2.27.0"     
         }
         kubectl = {
             source = "gavinbunney/kubectl"
-            version = "1.13.1"
+            version = "1.14.0"
         }
         cloudflare = {
             source = "cloudflare/cloudflare"
-            version = "~> 3.0"
+            version = "~> 4.0"
         }
     }
 }

terraform/templates/simple-docker-example/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     docker = {
       source = "kreuzwerker/docker"
-      version = "~> 2.13.0"
+      version = "~> 3.0.0"
     }
   }
 }

vagrant/hyperv/ubuntu/docker/Vagrantfile

@@ -1,20 +1,20 @@
-# -*- mode: ruby -*-
-# vi: set ft=ruby :
-
-Vagrant.configure("2") do |config|
-  config.vm.box = "generic/ubuntu2004"
-  config.vm.network "public_network"
-  config.vm.synced_folder ".", "/vagrant_data", disabled: true
-  config.vm.provider "hyperv"
-  config.vm.provider "hyperv" do |h|
-    h.enable_virtualization_extensions = false
-    h.linked_clone = true
-    h.memory = 2048
-    h.vmname = "ubuntu_docker_1"
-  end
-
-  config.vm.provision "ansible" do |a|
-    a.verbose = "v"
-    a.playbook = "playbook.yaml"
-  end
-end
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "generic/ubuntu2004"
+  config.vm.network "public_network"
+  config.vm.synced_folder ".", "/vagrant_data", disabled: true
+  config.vm.provider "hyperv"
+  config.vm.provider "hyperv" do |h|
+    h.enable_virtualization_extensions = false
+    h.linked_clone = true
+    h.memory = 2048
+    h.vmname = "ubuntu_docker_1"
+  end
+
+  config.vm.provision "ansible" do |a|
+    a.verbose = "v"
+    a.playbook = "playbook.yaml"
+  end
+end

vagrant/hyperv/ubuntu/microk8s-installed/Vagrantfile

@@ -1,20 +1,20 @@
-# -*- mode: ruby -*-
-# vi: set ft=ruby :
-
-Vagrant.configure("2") do |config|
-  config.vm.box = "generic/ubuntu2004"
-  config.vm.network "public_network"
-  config.vm.synced_folder ".", "/vagrant_data", disabled: true
-  config.vm.provider "hyperv"
-  config.vm.provider "hyperv" do |h|
-    h.enable_virtualization_extensions = false
-    h.linked_clone = true
-    h.memory = 2048
-    h.vmname = "ubuntu_plain_1"
-  end
-
-  config.vm.provision "ansible" do |a|
-    a.verbose = "v"
-    a.playbook = "playbook.yaml"
-  end
-end
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "generic/ubuntu2004"
+  config.vm.network "public_network"
+  config.vm.synced_folder ".", "/vagrant_data", disabled: true
+  config.vm.provider "hyperv"
+  config.vm.provider "hyperv" do |h|
+    h.enable_virtualization_extensions = false
+    h.linked_clone = true
+    h.memory = 2048
+    h.vmname = "ubuntu_plain_1"
+  end
+
+  config.vm.provision "ansible" do |a|
+    a.verbose = "v"
+    a.playbook = "playbook.yaml"
+  end
+end

vagrant/hyperv/ubuntu/plain-with-cockpit/Vagrantfile

@@ -1,22 +1,22 @@
-# -*- mode: ruby -*-
-# vi: set ft=ruby :
-
-Vagrant.configure("2") do |config|
-  config.vm.box = "generic/ubuntu2004"
-  config.vm.network "public_network", bridge: "BRIDGE"
-  config.vm.synced_folder ".", "/vagrant_data", disabled: true
-  config.vm.provider "hyperv"
-  config.vm.hostname = "ubuntu_plan-with-cockpit-1"
-
-  config.vm.provider "hyperv" do |h|
-    h.enable_virtualization_extensions = false
-    h.linked_clone = true
-    h.memory = 2048
-    h.vmname = "ubuntu_plan-with-cockpit-1"
-  end
-
-  config.vm.provision "ansible" do |a|
-    a.verbose = "v"
-    a.playbook = "playbook.yaml"
-  end
-end
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "generic/ubuntu2004"
+  config.vm.network "public_network", bridge: "BRIDGE"
+  config.vm.synced_folder ".", "/vagrant_data", disabled: true
+  config.vm.provider "hyperv"
+  config.vm.hostname = "ubuntu_plan-with-cockpit-1"
+
+  config.vm.provider "hyperv" do |h|
+    h.enable_virtualization_extensions = false
+    h.linked_clone = true
+    h.memory = 2048
+    h.vmname = "ubuntu_plan-with-cockpit-1"
+  end
+
+  config.vm.provision "ansible" do |a|
+    a.verbose = "v"
+    a.playbook = "playbook.yaml"
+  end
+end

vagrant/hyperv/ubuntu/plain/Vagrantfile

@@ -1,15 +1,15 @@
-# -*- mode: ruby -*-
-# vi: set ft=ruby :
-
-Vagrant.configure("2") do |config|
-  config.vm.box = "generic/ubuntu2004"
-  config.vm.network "public_network"
-  config.vm.synced_folder ".", "/vagrant_data", disabled: true
-  config.vm.provider "hyperv"
-  config.vm.provider "hyperv" do |h|
-    h.enable_virtualization_extensions = false
-    h.linked_clone = true
-    h.memory = 2048
-    h.vmname = "ubuntu_plain_1"
-  end
-end
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "generic/ubuntu2004"
+  config.vm.network "public_network"
+  config.vm.synced_folder ".", "/vagrant_data", disabled: true
+  config.vm.provider "hyperv"
+  config.vm.provider "hyperv" do |h|
+    h.enable_virtualization_extensions = false
+    h.linked_clone = true
+    h.memory = 2048
+    h.vmname = "ubuntu_plain_1"
+  end
+end