docker-stacks/README.md

# Docker Stacks

GitOps-managed Docker Compose stacks. Push changes to `main` branch and Gitea Actions will automatically deploy.

## Structure

```
stacks/
├── traefik/          # Reverse proxy + SSL
├── authentik/        # SSO/Identity provider
├── registry/         # Docker registry
├── immich/           # Photo management
├── planka/           # Kanban boards
├── syncthing/        # File sync
├── filebrowser/      # Web file manager
├── memento/          # Custom app
├── obsidian-tools/   # Obsidian vault tools
├── perilous/         # Blog/website
├── ramz/             # Go web app
├── bookclub/         # Form mailer
├── invidious/        # YouTube frontend
├── watchtower/       # Auto container updates
├── dockge/           # Container management UI
└── smokeping/        # Network monitoring
```

## How It Works

1. Edit compose files in `stacks/<service>/`
2. Commit and push to `main`
3. Gitea Actions detects changed stacks
4. Deploys only the changed stacks to `/var/core/<service>/`

## Manual Deploy

```bash
# Deploy single stack
./scripts/deploy.sh traefik

# Deploy all stacks
./scripts/deploy.sh all
```

## Required Gitea Secrets

Set these in Gitea → Repository → Settings → Actions → Secrets:

### Global
| Secret | Description |
|--------|-------------|
| `DOMAIN` | Base domain (e.g., `ghost.tel`) |
| `VOLUMES_ROOT` | Data root path (e.g., `/var/core`) |
| `ACME_EMAIL` | Email for Let's Encrypt |

### Authentik
| Secret | Description |
|--------|-------------|
| `AUTHENTIK_SECRET_KEY` | Generate: `openssl rand -hex 50` |
| `AUTHENTIK_PG_PASS` | PostgreSQL password |

### Immich
| Secret | Description |
|--------|-------------|
| `IMMICH_DB_PASSWORD` | PostgreSQL password |

### Planka
| Secret | Description |
|--------|-------------|
| `PLANKA_SECRET_KEY` | Generate: `openssl rand -hex 64` |
| `PLANKA_OIDC_CLIENT_ID` | Authentik client ID |
| `PLANKA_OIDC_CLIENT_SECRET` | Authentik client secret |

### Registry
| Secret | Description |
|--------|-------------|
| `REGISTRY_HTTP_SECRET` | Generate: `openssl rand -hex 32` |

### Memento
| Secret | Description |
|--------|-------------|
| `MEMENTO_AUTH_SECRET` | Auth.js secret |
| `MEMENTO_AUTHENTIK_CLIENT_ID` | Authentik client ID |
| `MEMENTO_AUTHENTIK_CLIENT_SECRET` | Authentik client secret |

### Bookclub
| Secret | Description |
|--------|-------------|
| `BOOKCLUB_SMTP_HOST` | SMTP server |
| `BOOKCLUB_SMTP_USER` | SMTP username |
| `BOOKCLUB_SMTP_PASS` | SMTP password |
| `BOOKCLUB_MAIL_FROM` | From email |
| `BOOKCLUB_MAIL_TO` | Recipient email |
| `BOOKCLUB_SECRET_PHRASE` | Form submission secret |

### Perilous
| Secret | Description |
|--------|-------------|
| `PERILOUS_CODE_SERVER_PASSWORD` | Code-server password |

### Invidious
| Secret | Description |
|--------|-------------|
| `INVIDIOUS_DB_PASSWORD` | PostgreSQL password |
| `INVIDIOUS_HMAC_KEY` | Generate: `openssl rand -hex 16` |
| `INVIDIOUS_COMPANION_KEY` | **Must be exactly 16 chars**: `openssl rand -base64 12` |

## Runner Setup

The workflow requires a self-hosted runner on the prod server:

```bash
# On ubuntu-prod, register a Gitea runner
# See: https://docs.gitea.com/usage/actions/act-runner

# Install act_runner
wget https://gitea.com/gitea/act_runner/releases/download/v0.2.6/act_runner-0.2.6-linux-amd64
chmod +x act_runner-*
sudo mv act_runner-* /usr/local/bin/act_runner

# Register with Gitea
act_runner register --no-interactive \
  --instance https://gitea.ghost.tel \
  --token <runner-token> \
  --name ubuntu-prod \
  --labels ubuntu-prod

# Run as service
act_runner daemon
```

## First-Time Setup

1. Create the `web` Docker network:
   ```bash
   docker network create web
   ```

2. Create `acme.json` for Traefik:
   ```bash
   touch /var/core/traefik/acme.json
   chmod 600 /var/core/traefik/acme.json
   ```

3. Deploy traefik first:
   ```bash
   ./scripts/deploy.sh traefik
   ```

4. Then deploy other stacks as needed.
# Runner test Wed 21 Jan 2026 12:08:53 AM EST
# Runner test 2 Wed 21 Jan 2026 12:11:37 AM EST