changed Files: docker-compose/traefik/configuration.yml.j2

docker-compose/traefik/file-provider.yml group_vars/blocky.yml group_vars/munin.yml Signed-off-by: Michael Grote <michael.grote@posteo.de>
2024-11-14 12:13:24 +00:00
43 changed files with 219 additions and 282 deletions
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@ -26,7 +26,7 @@ jobs:
        uses: actions/checkout@v4
      - name: Run Gitleaks
-        uses: docker://zricethezav/gitleaks:v8.22.0
+        uses: docker://zricethezav/gitleaks:v8.21.2
        with:
          args: detect --no-git --verbose --source ${{ github.workspace }}
--- a/docker-compose/act-runner/docker-compose.yml.j2
+++ b/docker-compose/act-runner/docker-compose.yml.j2
@ -3,7 +3,7 @@
 services:
  runner:
    container_name: act-runner
-    image: gitea/act_runner:0.2.11
+    image: gitea/act_runner
    restart: unless-stopped
    pull_policy: missing
    volumes:
--- a/docker-compose/authelia/docker-compose.yml.j2
+++ b/docker-compose/authelia/docker-compose.yml.j2
@ -1,91 +0,0 @@
 # Details/Doku: https://wiki.mgrote.net/pages/_Technik/software/rest/ldap/?h=ldap
 services:
 ######## authelia ########
  authelia:
    image: authelia/authelia:4.38.17
    container_name: authelia
    restart: unless-stopped
    pull_policy: missing
    environment:
      TZ: Europe/Berlin
    volumes:
      - ./configuration.yml:/config/configuration.yml
      - ./users_database.yml:/config/users_database.yml
      - authelia_data:/data
    labels:
      traefik.enable: true
      traefik.http.routers.authelia.rule: Host(`auth.mgrote.net`)
      traefik.http.services.authelia.loadbalancer.server.port: 9091
      traefik.http.routers.authelia.tls: true
      traefik.http.routers.authelia.tls.certresolver: resolver_letsencrypt
      traefik.http.routers.authelia.entrypoints: entry_https
      traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/verify?rd=https://auth.mgrote.net
      traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: true
      traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email
    depends_on:
      - authelia-redis
      - authelia-db
    networks:
      - traefik
      - postfix
      - authelia
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://authelia:9091"]
      interval: 30s
      timeout: 10s
      retries: 3
 ######## Redis ########
  authelia-redis:
    image: "redis:7.4.1"
    container_name: authelia-redis
    restart: unless-stopped
    pull_policy: missing
    environment:
      TZ: Europe/Berlin
    networks:
      - authelia
    healthcheck:
      test: ["CMD", "redis-cli", "--no-auth-warning", "ping"]
      interval: 5s
      timeout: 2s
      retries: 3
 ######## Datenbank ########
  authelia-db:
    image: "mariadb:11.6.2"
    container_name: authelia-db
    command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
    restart: unless-stopped
    pull_policy: missing
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
      - db:/var/lib/mysql
    environment:
      MYSQL_ROOT_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'authelia/authelia_mysql_root_password', 'password') }}"
      MYSQL_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'authelia/authelia_mysql_password', 'password') }}"
      MYSQL_DATABASE: authelia
      MYSQL_USER: authelia
      MYSQL_INITDB_SKIP_TZINFO: 1
    networks:
      - authelia
    healthcheck:
      test: ["CMD", "mariadb-show", "authelia", "-h", "localhost", "-u", "authelia", "-p{{ lookup('viczem.keepass.keepass', 'authelia/authelia_mysql_password', 'password') }}"]
      interval: 30s
      timeout: 10s
      retries: 3
 ######## Networks ########
 networks:
  authelia:
  traefik:
    external: true
  postfix:
    external: true
 ######## Volumes ########
 volumes:
  authelia_data:
  db:
--- a/docker-compose/authelia/docs.md
+++ b/docker-compose/authelia/docs.md
@ -1,7 +0,0 @@
 # authelia function matrix
 | App            | User                  | Password Reset | Group                                              |
 | -              | -                     | -              | -                                                  |
 | ``authelia_*`` | `authelia_bind_user`  | yes            | `lldap_strict_readonly` + `lldap_password_manager` |
 | `forgejo`      | `forgejo_bind_user`   | no             | `lldap_strict_readonly`                            |
 | `nextcloud`    | `nextcloud_bind_user` | yes            | `lldap_strict_readonly` + `lldap_password_manager` |
--- a/docker-compose/gramps/docker-compose.yml.j2
+++ b/docker-compose/gramps/docker-compose.yml.j2
@ -2,7 +2,7 @@
 services:
  grampsweb: &grampsweb
    container_name: grampsweb
-    image: ghcr.io/gramps-project/grampsweb:v24.12.1  # version
+    image: ghcr.io/gramps-project/grampsweb:v24.10.0  # version
    restart: unless-stopped
    pull_policy: missing
    ports:
@ -36,7 +36,7 @@ services:
  grampsweb_celery:
    <<: *grampsweb  # YAML merge key copying the entire grampsweb service config
    ports: []
-    container_name: grampsweb-celery
+    container_name: grampsweb_celery
    depends_on:
      - grampsweb_redis
    command: celery -A gramps_webapi.celery worker --loglevel=INFO
@ -44,7 +44,7 @@ services:
  grampsweb_redis:
    image: redis:7.4.1-alpine
-    container_name: grampsweb-redis
+    container_name: grampsweb_redis
    restart: unless-stopped
    pull_policy: missing
    healthcheck:
--- a/docker-compose/lldap/docker-compose.yml.j2
+++ b/docker-compose/lldap/docker-compose.yml.j2
@ -1,52 +0,0 @@
 services:
  lldap:
    image: lldap/lldap:v0.6.1-debian-rootless
    container_name: lldap
    restart: unless-stopped
    pull_policy: missing
    ports:
      - "3890:3890"
      - "17170:17170" # front-end
    volumes:
      - "lldap_data:/data"
      - "./lldap_config.toml:/data/lldap_config.toml"
    environment:
      TZ: Europe/Berlin
    networks:
      - traefik
      - postfix
      - internal
    depends_on:
      - lldap-db17
 ######## Postgres ########
  lldap-db17:
    container_name: "lldap-db"
    image: "postgres:17.2"
    restart: unless-stopped
    pull_policy: missing
    environment:
      POSTGRES_USER: lldap
      POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}"
      TZ: Europe/Berlin
    volumes:
      - db17:/var/lib/postgresql/data
    networks:
      - internal
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "lldap"]
      interval: 10s
      start_period: 30s
 ######## Networks ########
 networks:
  traefik:
    external: true
  postfix:
    external: true
  internal:
 ######## Volumes ########
 volumes:
  lldap_data:
  db17:
--- a/docker-compose/lldap/lldap_config.toml.j2
+++ b/docker-compose/lldap/lldap_config.toml.j2
@ -1,29 +0,0 @@
 verbose = false
 ldap_host = "0.0.0.0"
 ldap_port = 3890
 http_host = "0.0.0.0"
 http_port = 17170
 http_url = "https://ldap.mgrote.net"
 jwt_secret = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_jwt_secret', 'password') }}"
 ldap_base_dn = "dc=mgrote,dc=net"
 ldap_user_dn = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_admin_user', 'username') }}"
 ldap_user_email = "lldap-admin@mgrote.net"
 ldap_user_pass = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_admin_user', 'password') }}"
 database_url = "postgres://lldap:{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}@lldap-db/lldap"
 key_seed = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_key_seed', 'password') }}"
 key_file = ""
 force_ldap_user_pass_reset = "always"
 [smtp_options]
 enable_password_reset = false
 server = "postfix"
 port = 25
 smtp_encryption = "NONE"
 reply_to  ="Do not reply <info@mgrote.net>"
--- a/docker-compose/miniflux/docker-compose.yml.j2
+++ b/docker-compose/miniflux/docker-compose.yml.j2
@ -2,7 +2,7 @@ services:
 ######## Miniflux ########
  miniflux:
    container_name: "mf-frontend"
-    image: "ghcr.io/miniflux/miniflux:2.2.4"
+    image: "ghcr.io/miniflux/miniflux:2.2.3"
    restart: unless-stopped
    pull_policy: missing
    depends_on:
@ -19,7 +19,7 @@ services:
      CLEANUP_ARCHIVE_READ_DAYS: 90
      TZ: Europe/Berlin
    networks:
-      - internal
+      - intern
      - traefik
    healthcheck:
      test: ["CMD", "/usr/bin/miniflux", "-healthcheck", "auto"]
@ -34,7 +34,7 @@ services:
 ######## Postgres ########
  mf-db17:
    container_name: "mf-db"
-    image: "postgres:17.2"
+    image: "postgres:17.0"
    restart: unless-stopped
    pull_policy: missing
    environment:
@ -45,7 +45,7 @@ services:
    volumes:
      - db17:/var/lib/postgresql/data
    networks:
-      - internal
+      - intern
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "miniflux"]
      interval: 10s
@ -68,7 +68,7 @@ services:
    volumes:
      - ./filter.txt:/data/filter.txt
    networks:
-      - internal
+      - intern
 ######## Volumes ########
 volumes:
@ -77,5 +77,5 @@ volumes:
 networks:
  traefik:
    external: true
-  internal:
+  intern:
    driver: bridge
--- a/docker-compose/miniflux/filter.txt
+++ b/docker-compose/miniflux/filter.txt
@ -9,15 +9,11 @@ axios.com::PGA
 axios.com::football
 computerbase.de::Adrenalin 2020 Edition
 computerbase.de::Adrenalin 2021 Edition
 computerbase.de::Adrenalin 2022 Edition
 computerbase.de::Adrenalin 2023 Edition
 computerbase.de::Adrenalin 2024 Edition
 computerbase.de::Adrenalin 2025 Edition
 computerbase.de::CB-Funk
-computerbase.de::Community-Hilfe
+computerbase.de::CB-Funk-Podcast
 computerbase.de::Community-Umfrage
 computerbase.de::Community-Hilfe
 computerbase.de::Community: Fotowettbewerb
 computerbase.de::Computer-Hilfe
 computerbase.de::Elon Musk
 computerbase.de::Fotowettbewerb:
 computerbase.de::Fussball
@ -55,8 +51,6 @@ hardwareluxx.de::Der Hardwareluxx-Webwatch:
 hardwareluxx.de::Die Artikel unserer Partner
 hardwareluxx.de::KW
 hardwareluxx.de::Shopping Club
 heise.de::Top 10:
 heise.de::Top 5:
 heise.de::"Passwort"
 heise.de::#TGIQF
 heise.de::#heiseshow
@ -67,7 +61,6 @@ heise.de::Bit-Rauschen, der Prozessor-Podcast
 heise.de::Desinfec
 heise.de::Die Bilder der Woche
 heise.de::Die Highlights bei
 heise.de::Die Produktwerker
 heise.de::Dienstag
 heise.de::Dienstag:
 heise.de::Elon Musk
@ -75,8 +68,8 @@ heise.de::FIFA
 heise.de::Ferris Talk
 heise.de::Fotografie
 heise.de::Fotografie-Wettbewerb
 heise.de::Fotonews
 heise.de::Fotowettbewerb
 heise.de::Fotonews
 heise.de::Freitag
 heise.de::Fußball-WM
 heise.de::Heise spielt
@ -91,6 +84,7 @@ heise.de::Mittwoch
 heise.de::Montag
 heise.de::Podcast
 heise.de::Podcast "Die Hupe"
 heise.de::Die Produktwerker
 heise.de::SoftwareArchitekTOUR
 heise.de::Sonderheft
 heise.de::TGIQF
@ -101,7 +95,6 @@ heise.de::Twitter
 heise.de::WM 2022
 heise.de::Was war. Was wird.
 heise.de::Zugriff auf alle Inhalte von heise+
 heise.de::bestenlisten
 heise.de::c't <webdev>
 heise.de::c’t-Webinar:
 heise.de::die Fotonews der Woche
@ -293,12 +286,14 @@ tagesschau.de::Werders
 tagesschau.de::Zukunftspodcast
 tagesschau.de::Zweierbob:
 taz.de::America's Cup
-taz.de::Bahnrad
+taz.de::Ski
 taz.de::Dart
 taz.de::America's Cup
 taz.de::America's Cup
 taz.de::Bahnrad
 taz.de::Fussball
 taz.de::Läufer
 taz.de::NBA
 taz.de::Ski
 taz.de::Tischtennis
 taz.de::bundesliga
 taz.de::cricket
--- a/docker-compose/miniflux/sort_and_remove_double_entries.sh
+++ b/docker-compose/miniflux/sort_and_remove_double_entries.sh
@ -0,0 +1,9 @@
 #!/bin/bash
 FILTERFILE=./filter.txt
 VORHER=$(wc -l < $FILTERFILE)
 echo Sortiere und filtere doppelte Zeilen heraus.
 sort filter.txt | uniq -u -i | cat > .tmp
 NACHHER=$(wc -l < .tmp)
 echo Es wurden $((VORHER-NACHHER)) Zeilen  entfernt!
 mv -f .tmp filter.txt
--- a/docker-compose/navidrome/docker-compose.yml.j2
+++ b/docker-compose/navidrome/docker-compose.yml.j2
@ -1,39 +1,32 @@
 services:
-######## navidrome ########
+######## navidrome-mg ########
-  navidrome:
+  navidrome-mg:
-    container_name: "navidrome"
+    container_name: "navidrome-mg"
-    image: "deluan/navidrome:0.54.2"
+    image: "deluan/navidrome:0.53.3"
    restart: unless-stopped
    pull_policy: missing
    environment:
      ND_LOGLEVEL: info
      ND_SESSIONTIMEOUT: 24h
      ND_MUSICFOLDER: /music
      ND_DATAFOLDER: /data
      ND_SCANSCHEDULE: 0 1 * * *
      ND_TRANSCODINGCACHESIZE: 500MB
      ND_IMAGECACHESIZE: 100MB
      ND_AUTOIMPORTPLAYLISTS: false
      ND_BASEURL: /mg
-      ND_COVERARTPRIORITY: "embedded, cover.*, folder.*, front.*, external"
+      ND_ENABLESTARRATING: false
-      ND_DATAFOLDER: /data
+      ND_ENABLEGRAVATAR: false
      ND_LASTFM_ENABLED: false
      ND_ENABLETRANSCODINGCONFIG: true
      ND_COVERARTPRIORITY: "embedded"
      ND_ENABLEARTWORKPRECACHE: true
      ND_ENABLECOVERANIMATION: false
      ND_ENABLEEXTERNALSERVICES: false
      ND_ENABLEFAVOURITES: true
      ND_ENABLEGRAVATAR: false
      ND_ENABLEINSIGHTSCOLLECTOR: false
      ND_ENABLELOGREDACTING: true
      ND_ENABLEMEDIAFILECOVERART: true
      ND_ENABLEREPLAYGAIN: true
      ND_ENABLESHARING: false
      ND_ENABLESTARRATING: false
      ND_ENABLETRANSCODINGCONFIG: true
      ND_IMAGECACHESIZE: 100MB
      ND_JUKEBOX_ENABLED: false
      ND_LASTFM_ENABLED: false
      ND_LISTENBRAINZ_ENABLED: false
      ND_LOGLEVEL: info
      ND_MUSICFOLDER: /music
      ND_PLAYLISTSPATH: "_playlists"
      ND_PROMETHEUS_ENABLED: false
      ND_RECENTLYADDEDBYMODTIME: true
      ND_SCANSCHEDULE: 0 1 * * *
      ND_SESSIONTIMEOUT: 24h
      ND_TRANSCODINGCACHESIZE: 500MB
      PUID: 1000
      PGID: 1000
      TZ: Europe/Berlin
--- a/docker-compose/nextcloud/docker-compose.yml.j2
+++ b/docker-compose/nextcloud/docker-compose.yml.j2
@ -1,7 +1,7 @@
 services:
 ######## Datenbank ########
  nextcloud-db:
-    image: "mariadb:11.6.2"
+    image: "mariadb:11.5.2"
    container_name: nextcloud-db
    command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
    restart: unless-stopped
@ -17,7 +17,7 @@ services:
      MYSQL_USER: nextcloud
      MYSQL_INITDB_SKIP_TZINFO: 1
    networks:
-      - internal
+      - intern
    healthcheck:
      test: ["CMD", "mariadb-show", "nextcloud", "-h", "localhost", "-u", "nextcloud", "-p{{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_mysql_password', 'password') }}"]
      interval: 30s
@ -36,7 +36,7 @@ services:
    container_name: nextcloud-redis
    hostname: nextcloud-redis
    networks:
-      - internal
+      - intern
    restart: unless-stopped
    pull_policy: missing
    command: "redis-server --requirepass {{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}"
@ -62,7 +62,7 @@ services:
 ######## Nextcloud ########
  nextcloud-app:
-    image: "nextcloud:30.0.4"
+    image: "nextcloud:30.0.2"
    container_name: nextcloud-app
    restart: unless-stopped
    pull_policy: missing
@ -101,7 +101,7 @@ services:
      - ./misc.sh:/docker-entrypoint-hooks.d/post-installation/misc.sh
      - ./misc.sh:/docker-entrypoint-hooks.d/before-starting/misc.sh
    networks:
-      - internal
+      - intern
      - traefik
      - postfix
    healthcheck:
@ -129,7 +129,7 @@ services:
 ######## Networks ########
 networks:
-  internal:
+  intern:
    driver: bridge
  traefik:
    external: true
--- a/docker-compose/nextcloud/ldap.sh.j2
+++ b/docker-compose/nextcloud/ldap.sh.j2
@ -10,7 +10,7 @@ php occ app:enable user_ldap
 #php occ ldap:create-empty-config # wird nur bei komplett neuer nextcloud benötigt, legt sonst bei jedem durchlauf weitere ldap-configs an
 # EDIT: domain
-php occ ldap:set-config s01 ldapHost "ldap://lldap."
+php occ ldap:set-config s01 ldapHost "ldap://ldap.mgrote.net."
 php occ ldap:set-config s01 ldapPort 3890
 # EDIT: admin user
 php occ ldap:set-config s01 ldapAgentName "uid=nextcloud_bind_user,ou=people,dc=mgrote,dc=net"
@ -45,6 +45,5 @@ php occ ldap:set-config s01 ldapUuidGroupAttribute auto
 php occ ldap:set-config s01 ldapUuidUserAttribute auto
 php occ ldap:set-config s01 ldapExpertUsernameAttr user_id
 php occ ldap:set-config s01 ldap_mark_remnants_as_disabled 1
 php occ ldap:set-config s01 ldap_turn_on_pwd_change 1
 # damit der Login über LDAP geht muss das Attribute "DisplayName" gesetzt sein!
--- a/docker-compose/registry/docker-compose.yml.j2
+++ b/docker-compose/registry/docker-compose.yml.j2
@ -8,7 +8,7 @@ services:
      - oci:/var/lib/registry
    networks:
      - traefik
-      - internal
+      - intern
    depends_on:
      - oci-registry-redis
    healthcheck:
@ -51,7 +51,7 @@ services:
    image: "redis:7.4.1"
    container_name: oci-registry-redis
    networks:
-      - internal
+      - intern
    restart: unless-stopped
    pull_policy: missing
    environment:
@ -66,10 +66,9 @@ services:
  oci-registry-ui:
    restart: unless-stopped
    pull_policy: missing
    # url: registry.mgrote.net/ui/index.html
    image: "joxit/docker-registry-ui:2.5.7"
    container_name: oci-registry-ui
    ports:
      - 5511:80
    environment:
      DELETE_IMAGES: true
      SINGLE_REGISTRY: true
@ -81,18 +80,26 @@ services:
      - oci-registry
    networks:
      - traefik
-      - internal
+      - intern
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://127.0.0.1"]
      interval: 30s
      timeout: 10s
      retries: 3
    labels:
      traefik.http.routers.registry-ui.rule: Host(`rui.mgrote.net`)
      traefik.http.routers.registry-ui.middlewares: allowlist_localnet@file,ratelimit40@file,authelia@docker
      traefik.enable: true
      traefik.http.routers.registry-ui.tls: true
      traefik.http.routers.registry-ui.tls.certresolver: resolver_letsencrypt
      traefik.http.routers.registry-ui.entrypoints: entry_https
      traefik.http.services.registry-ui.loadbalancer.server.port: 80
 ######## Networks ########
 networks:
  traefik:
    external: true
-  internal:
+  intern:
 ######## Volumes ########
 volumes:
--- a/docker-compose/authelia/configuration.yml.j2
+++ b/docker-compose/authelia/configuration.yml.j2
@ -21,6 +21,14 @@ access_control:
      policy: one_factor
      subject:
        - 'group:authelia_wiki'
    - domain: munin.mgrote.net
      policy: one_factor
      subject:
        - 'group:authelia_munin'
    - domain: rui.mgrote.net
      policy: one_factor
      subject:
        - 'group:authelia_registry-ui'
 session:
  name: authelia_session
@ -59,11 +67,11 @@ notifier:
 # https://github.com/lldap/lldap/blob/main/example_configs/authelia_config.yml
 authentication_backend:
  password_reset:
-    disable: false
+    disable: true
  refresh_interval: 1m
  ldap:
    implementation: custom
-    address: ldap://lldap:3890
+    address: ldap://ldap.mgrote.net:3890
    timeout: 5s
    start_tls: false
    base_dn: dc=mgrote,dc=net
@ -79,4 +87,4 @@ authentication_backend:
    user: uid=authelia_bind_user,ou=people,dc=mgrote,dc=net
    password: '{{ lookup('viczem.keepass.keepass', 'authelia/lldap_authelia_bind_user', 'password') }}'
-# Details/Doku: https://wiki.mgrote.net/pages/_Technik/software/rest/ldap/
+# Details/Doku: https://wiki.mgrote.net/pages/_Technik/hardware/rest/fpv/software/rest/ldap/
--- a/docker-compose/traefik/docker-compose.yml.j2
+++ b/docker-compose/traefik/docker-compose.yml.j2
@ -1,10 +1,10 @@
-# Details/Doku: https://wiki.mgrote.net/pages/_Technik/software/rest/ldap/?h=ldap
+# Details/Doku: https://wiki.mgrote.net/pages/_Technik/hardware/rest/fpv/software/rest/ldap/
 services:
 ######## traefik ########
  traefik:
    container_name: traefik
-    image: "traefik:v3.2.3"
+    image: "traefik:v3.2.0"
    restart: unless-stopped
    pull_policy: missing
    volumes:
@ -26,6 +26,84 @@ services:
      interval: 30s
      timeout: 10s
      retries: 3
    depends_on:
      - authelia
 ######## authelia ########
  authelia:
    image: authelia/authelia:4.38.17
    container_name: authelia
    restart: unless-stopped
    pull_policy: missing
    environment:
      TZ: Europe/Berlin
    volumes:
      - ./configuration.yml:/config/configuration.yml
      - ./users_database.yml:/config/users_database.yml
      - authelia_data:/data
    labels:
      traefik.enable: true
      traefik.http.routers.authelia.rule: Host(`auth.mgrote.net`)
      traefik.http.services.authelia.loadbalancer.server.port: 9091
      traefik.http.routers.authelia.tls: true
      traefik.http.routers.authelia.tls.certresolver: resolver_letsencrypt
      traefik.http.routers.authelia.entrypoints: entry_https
      traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/verify?rd=https://auth.mgrote.net
      traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: true
      traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email
    depends_on:
      - authelia-redis
      - authelia-db
    networks:
      - traefik
      - postfix
      - authelia
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://authelia:9091"]
      interval: 30s
      timeout: 10s
      retries: 3
  authelia-redis:
    image: "redis:7.4.1"
    container_name: authelia-redis
    restart: unless-stopped
    pull_policy: missing
    environment:
      TZ: Europe/Berlin
    networks:
      - authelia
    healthcheck:
      test: ["CMD", "redis-cli", "--no-auth-warning", "ping"]
      interval: 5s
      timeout: 2s
      retries: 3
 ######## Datenbank ########
  authelia-db:
    image: "mariadb:11.5.2"
    container_name: authelia-db
    command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
    restart: unless-stopped
    pull_policy: missing
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
      - db:/var/lib/mysql
    environment:
      MYSQL_ROOT_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'authelia/authelia_mysql_root_password', 'password') }}"
      MYSQL_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'authelia/authelia_mysql_password', 'password') }}"
      MYSQL_DATABASE: authelia
      MYSQL_USER: authelia
      MYSQL_INITDB_SKIP_TZINFO: 1
    networks:
      - authelia
    healthcheck:
      test: ["CMD", "mariadb-show", "authelia", "-h", "localhost", "-u", "authelia", "-p{{ lookup('viczem.keepass.keepass', 'authelia/authelia_mysql_password', 'password') }}"]
      interval: 30s
      timeout: 10s
      retries: 3
 ######## Networks ########
 networks:
@ -37,3 +115,5 @@ networks:
 ######## Volumes ########
 volumes:
  acme_data:
  authelia_data:
  db:
--- a/docker-compose/traefik/file-provider.yml
+++ b/docker-compose/traefik/file-provider.yml
@ -2,6 +2,16 @@
 http:
 ###### router #####
  routers:
    router_munin:
      rule: "Host(`munin.mgrote.net`)"
      service: "service_munin"
      middlewares:
        - "ratelimit40@file"
        - "authelia@docker"
      entrypoints:
        - entry_https
      tls:
        certresolver: resolver_letsencrypt
    router_forgejo:
      rule: "Host(`git.mgrote.net`)"
      service: "service_forgejo"
@ -13,6 +23,10 @@ http:
        certresolver: resolver_letsencrypt
 ###### services #####
  services:
    service_munin:
      loadBalancer:
        servers:
          - url: "http://munin.mgrote.net/"
    service_forgejo:
      loadBalancer:
        servers:
--- a/docker-compose/unifi-network-application/docker-compose.yml.j2
+++ b/docker-compose/unifi-network-application/docker-compose.yml.j2
@ -45,7 +45,7 @@ services:
    # 1. mongosh
    # 2. db.getSiblingDB("unifidb").createUser({user: "unifiuser", pwd: "GEHEIM", roles: [{role: "dbOwner", db: "unifidb"}, {role: "dbOwner", db: "unifidb_stat"}]});
    # https://discourse.linuxserver.io/t/cant-connect-to-mongodb-for-unifi-network-application/8166
-    image: "docker.io/mongo:8.0.4"
+    image: "docker.io/mongo:8.0.3"
    container_name: unifi-db
    volumes:
      - db-data:/data/db
--- a/friedhof/lldap/docker-compose.yml.j2
+++ b/friedhof/lldap/docker-compose.yml.j2
@ -11,7 +11,7 @@ services:
      # For the web front-end
      - "17170:17170"
    networks:
-      - internal
+      - intern
      - traefik
      - postfix
    volumes:
@ -56,7 +56,7 @@ services:
      - MYSQL_USER=lldap-db-user
      - MYSQL_INITDB_SKIP_TZINFO=1
    networks:
-      - internal
+      - intern
    labels:
      - com.centurylinklabs.watchtower.enable=true
@ -66,7 +66,7 @@ volumes:
  db:
 ######## Networks ########
 networks:
-  internal:
+  intern:
  traefik:
    external: true
  postfix:
--- a/group_vars/blocky.yml
+++ b/group_vars/blocky.yml
@ -85,9 +85,13 @@ blocky_custom_lookups: # optional
  - name: fritz.box
    ip: 192.168.5.1
  - name: ldap.mgrote.net
-    ip: 192.168.2.43
+    ip: 192.168.2.47
  - name: munin.mgrote.net
-    ip: 192.168.2.40
+    ip: 192.168.2.43
  - name: s3.mgrote.net
    ip: 192.168.2.43
  - name: rui.mgrote.net
    ip: 192.168.2.43
 ### mgrote_munin_node
 # kann git.mgrote.net nicht auflösen, deshalb hiermit IP
--- a/group_vars/docker.yml
+++ b/group_vars/docker.yml
@ -1,4 +1,17 @@
 ---
 ### mgrote_minio_configure
 minio_url: https://s3.mgrote.net
 minio_root_access_key: "{{ lookup('viczem.keepass.keepass', 'minio/minio_root_access_key', 'password') }}"
 minio_root_secret_key: "{{ lookup('viczem.keepass.keepass', 'minio/minio_root_secret_key', 'password') }}"
 minio_users:
  - name: testuser
    secret: "{{ lookup('viczem.keepass.keepass', 'minio/minio_testuser_secret_key', 'password') }}"
    state: present
    policy: testbucket_rw
 minio_buckets:
  - name: testbucket
    state: present
 ### mrlesmithjr.manage_lvm
 lvm_groups:
  - vgname: vg_docker
@ -19,6 +32,7 @@ pvresize_to_max: true
 pip_package: python3-pip
 pip_install_packages:
  - name: docker # für munin-plugin docker_
  - name: minio # für ansible-minio_configure-Rolle
 ### mgrote.apt_manage_packages
 apt_packages_extra:
--- a/group_vars/git.yml
+++ b/group_vars/git.yml
@ -148,7 +148,7 @@ gitea_fail2ban_jail_bantime: "600"
 gitea_fail2ban_jail_action: "iptables-allports"
 ### mgrote_gitea_setup
-gitea_ldap_host: "docker10.mgrote.net"
+gitea_ldap_host: "ldap.mgrote.net"
 gitea_ldap_base_path: "dc=mgrote,dc=net"
 gitea_ldap_bind_user: "forgejo_bind_user"
 gitea_ldap_bind_pass: "{{ lookup('viczem.keepass.keepass', 'forgejo/lldap_forgejo_bind_user', 'password') }}"
--- a/group_vars/ldap.yml
+++ b/group_vars/ldap.yml
@ -35,7 +35,7 @@ ufw_rules:
    from_ip: 192.168.2.0/24
 ### mgrote_lldap
-lldap_package_url: "https://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/xUbuntu_22.04/amd64/lldap_0.6.0-1+1.1_amd64.deb"
+lldap_package_url: "https://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/xUbuntu_22.04/amd64/lldap_0.5.0-1+4.1_amd64.deb"
 lldap_logging_verbose: "true" # must be a string not a boolean
 lldap_http_port: 17170
 lldap_http_host: "0.0.0.0"
--- a/group_vars/munin.yml
+++ b/group_vars/munin.yml
@ -10,6 +10,7 @@ ufw_rules:
    to_port: 80
    protocol: tcp
    comment: 'munin'
    from_ip: 192.168.2.43 # nur von docker10 aus, wird in blocky dort auf traefik umgeleitet
 ### mgrote_restic
 restic_folders_to_backup: "/usr/local /etc /root /home /var/lib/munin"
@ -67,6 +68,9 @@ munin_hosts:
  - name: blocky.mgrote.net
    address: blocky.mgrote.net
    extra: ["use_node_name yes"]
  - name: ldap.mgrote.net
    address: ldap.mgrote.net
    extra: ["use_node_name yes"]
 ### mgrote_munin_node
 munin_node_bind_host: "127.0.0.1"
@ -101,7 +105,7 @@ munin_node_plugins:
    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/http/http_response
    config: |
      [http_response]
-      env.sites https://git.mgrote.net https://docker10.mgrote.net:8443 http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net  https://auth.mgrote.net http://docker10.mgrote.net:17170
+      env.sites https://git.mgrote.net http://ldap.mgrote.net:17170 https://docker10.mgrote.net:8443 https://rui.mgrote.net/ https://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://s3.mgrote.net https://auth.mgrote.net
      env.max_time 20
      env.short_label true
      env.follow_redirect true
--- a/group_vars/pve.yml
+++ b/group_vars/pve.yml
@ -40,7 +40,7 @@ cv4pve_api_user: root@pam!cv4pve-autosnap
 cv4pve_api_token: "{{ lookup('viczem.keepass.keepass', 'cv4pve_api_token', 'password') }}"
 cv4pve_vmid: all,-107
 cv4pve_keep_snapshots: 5
-cv4pve_version: v1.15.0
+cv4pve_version: v1.14.11
 ### mgrote_apt_manage_packages
 apt_packages_extra:
--- a/host_vars/docker10.mgrote.net.yml
+++ b/host_vars/docker10.mgrote.net.yml
@ -50,9 +50,8 @@ compose_files:
    state: present
  - name: act-runner
    state: present
-  - name: lldap
+  - name: minio
    state: present
    network: traefik
 ### oefenweb.ufw
 ufw_rules:
--- a/host_vars/pve5.mgrote.net.yml
+++ b/host_vars/pve5.mgrote.net.yml
@ -230,6 +230,8 @@ pve_pbs_datastore:
 ### mgrote_sync
 rsync_host_role: source
 rsync_mirror_dirs: # bei Src+Dest KEIN "/" am Ende
  - src: /hdd_data/tmp
    dest: "{{ rsync_mirror_user }}@pbs.mgrote.net:/backup/pve5/tmp"
  - src: /hdd_data/archiv
    dest: "{{ rsync_mirror_user }}@pbs.mgrote.net:/backup/pve5/archiv"
  - src: /hdd_data/backup
--- a/4
+++ b/4
@ -6,6 +6,9 @@ all:
    blocky:
      hosts:
        blocky.mgrote.net:
    ldap:
      hosts:
        ldap.mgrote.net:
    lxc:
      hosts:
        fileserver3.mgrote.net:
@ -44,6 +47,7 @@ all:
        docker10.mgrote.net:
        pbs.mgrote.net:
        blocky.mgrote.net:
        ldap.mgrote.net:
        munin.mgrote.net:
    test:
      hosts:
--- a/keepass_db.kdbx
+++ b/keepass_db.kdbx
--- a/playbooks/3_service/docker.yml
+++ b/playbooks/3_service/docker.yml
@ -25,3 +25,6 @@
    - role: mgrote_docker_housekeeping
      tags: "housekeeping"
      become: true
    - role: mgrote_minio_configure
      tags: "minio"
      become: true
--- a/playbooks/3_service/lldap.yml
+++ b/playbooks/3_service/lldap.yml
--- a/roles/mgrote_docker_compose_inline/tasks/main.yml
+++ b/roles/mgrote_docker_compose_inline/tasks/main.yml
@ -51,22 +51,13 @@
  when:
    - item.network is defined
- name: Pull images
+- name: restart changed container
  become: true
-  ansible.builtin.command: docker-compose pull
+  community.docker.docker_compose_v2:
-  args:
+    project_src: "{{ compose_dest_basedir }}/{{ item.name }}"
-    chdir: "{{ compose_dest_basedir }}/{{ item.name }}"
+    state: restarted
-  register: pull_result # speichere ergebnis in var
+    dependencies: true
-  changed_when: "pull_result.rc == 0" # markiere tasks als changed when exit-code == 0
+    pull: missing
  loop: "{{ compose_files }}"
 - name: (re)start container
  become: true
  ansible.builtin.command: docker-compose up -d
  args:
    chdir: "{{ compose_dest_basedir }}/{{ item.name }}"
  register: start_result # speichere ergebnis in var
  changed_when: "start_result.rc == 0" # markiere tasks als changed when exit-code == 0
  loop: "{{ compose_files }}"
  when:
    - item.state == "present"
--- a/friedhof/mgrote_lldap/defaults/main.yml
+++ b/friedhof/mgrote_lldap/defaults/main.yml
--- a/friedhof/mgrote_lldap/handlers/main.yml
+++ b/friedhof/mgrote_lldap/handlers/main.yml
--- a/friedhof/mgrote_lldap/tasks/main.yml
+++ b/friedhof/mgrote_lldap/tasks/main.yml
--- a/friedhof/mgrote_lldap/templates/lldap_config.toml.j2
+++ b/friedhof/mgrote_lldap/templates/lldap_config.toml.j2
--- a/friedhof/mgrote_minio_configure/defaults/main.yml
+++ b/friedhof/mgrote_minio_configure/defaults/main.yml
--- a/friedhof/mgrote_minio_configure/tasks/bucket.yml
+++ b/friedhof/mgrote_minio_configure/tasks/bucket.yml
@ -8,11 +8,9 @@
      url: "{{ minio_url }}"
    state: "{{ item.state | default('present') }}"
  loop: "{{ minio_buckets }}"
  delegate_to: localhost
 - name: Deletion Info
  ansible.builtin.debug:
    msg: "Deletion only possible with empty bucket ({{ item.name }})"
  when: '"absent" in item.state'
  loop: "{{ minio_buckets }}"
  delegate_to: localhost
--- a/friedhof/mgrote_minio_configure/tasks/client.yml
+++ b/friedhof/mgrote_minio_configure/tasks/client.yml
--- a/friedhof/mgrote_minio_configure/tasks/main.yml
+++ b/friedhof/mgrote_minio_configure/tasks/main.yml
@ -12,7 +12,6 @@
    access_key: "{{ minio_root_access_key }}"
    secret_key: "{{ minio_root_secret_key }}"
    state: present
  delegate_to: localhost
 - name: include policy tasks
  ansible.builtin.include_tasks: policy.yml
@ -32,7 +31,6 @@
    state: "{{ item.state | default('present') }}"
  loop: "{{ minio_users }}"
  no_log: "{{ no_debug | default('true') }}"
  delegate_to: localhost
 # Bug: delegate_to: localhost
 # in ansible-devspace wird das Python Paket "minio" nicht gefunden
--- a/friedhof/mgrote_minio_configure/tasks/policy.yml
+++ b/friedhof/mgrote_minio_configure/tasks/policy.yml
@ -7,7 +7,6 @@
    owner: root
    group: root
    mode: '0644'
  delegate_to: localhost
 - name: "prep: template policy files (ro)"
  ansible.builtin.template:
@ -17,7 +16,6 @@
    group: root
    mode: '0644'
  loop: "{{ minio_buckets }}"
  delegate_to: localhost
 - name: "prep: template policy files (rw)"
  ansible.builtin.template:
@ -27,19 +25,16 @@
    group: root
    mode: '0644'
  loop: "{{ minio_buckets }}"
  delegate_to: localhost
 - name: "setup policies (ro)"
  ansible.builtin.command: "{{ minio_client_bin }} --disable-pager admin policy create {{ minio_root_alias }} {{ item.name }}_ro {{ minio_config_dir }}/{{ item.name }}_ro"
  loop: "{{ minio_buckets }}"
  changed_when: false # Befehl gibt immer "Created policy `testbucket3_ro` successfully." aus, unabhängig ob sie schon existiert oder nicht.
  delegate_to: localhost
 - name: "setup policies (rw)"
  ansible.builtin.command: "{{ minio_client_bin }} --disable-pager admin policy create {{ minio_root_alias }} {{ item.name }}_rw {{ minio_config_dir }}/{{ item.name }}_rw"
  loop: "{{ minio_buckets }}"
  changed_when: false # Befehl gibt immer "Created policy `testbucket3_ro` successfully." aus, unabhängig ob sie schon existiert oder nicht.
  delegate_to: localhost
 - name: "remove old policy files"
  ansible.builtin.file:
@ -47,4 +42,3 @@
    state: absent
  loop: "{{ minio_buckets }}"
  when: '"absent" in item.state'
  delegate_to: localhost
--- a/friedhof/mgrote_minio_configure/templates/policy_ro.j2
+++ b/friedhof/mgrote_minio_configure/templates/policy_ro.j2
--- a/friedhof/mgrote_minio_configure/templates/policy_rw.j2
+++ b/friedhof/mgrote_minio_configure/templates/policy_rw.j2