initial commit: Dawarich LXC role (CT 459 on pve02, .159)
Self-hosted location history. 4-container compose: Rails 8 app + Sidekiq + PostGIS 16-3.4 + Redis 7, plus watchtower. Authentik OIDC end-to-end. Image pinned at freikin/dawarich:1.7.11 (OIDC support requires >= 1.7.8). PostGIS DB lives in this LXC, not on the central DB VM (.172) — central image is postgres:16-alpine without postgis, swapping it carries broader blast radius than colocating here. Convention exception captured in homelab-docs project_dawarich memory. Roles: - dawarich: system + Docker + compose + weekly prune timer - alloy: logs+journald → Loki, node metrics → Prometheus Bring-up sequence proven 2026-06-01. README documents the 5-trap build chain (image version, entrypoint scripts, solid_cache SQLite bind mount, APPLICATION_HOSTS+localhost, force_ssl+healthcheck). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Your Name
@@ -0,0 +1,84 @@
|
||||
---
|
||||
timezone: America/Toronto
|
||||
|
||||
packages:
|
||||
- apt-utils
|
||||
- bash-completion
|
||||
- ca-certificates
|
||||
- curl
|
||||
- git
|
||||
- gnupg
|
||||
- htop
|
||||
- net-tools
|
||||
- openssh-server
|
||||
- python3
|
||||
- python3-pip
|
||||
- sudo
|
||||
- vim
|
||||
- wget
|
||||
|
||||
users:
|
||||
- name: cbalders
|
||||
groups: sudo
|
||||
shell: /bin/bash
|
||||
|
||||
ssh_authorized_keys:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINALaic1jpoP6t1urbZqJLI1eU5NeTVD9k8AAMAvOvvk OfficeMini"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzTHdCiQjhIHsGB8oMpyKtr9TZXrXeIRKwcwe698zMW Generated By Termius"
|
||||
|
||||
# Alloy ships Docker logs + journald to Loki on observe.lan.balders.ca + node
|
||||
# metrics to Prometheus. Pattern mirrors every other LXC.
|
||||
alloy_host_label: dawarich
|
||||
alloy_loki_url: http://observe.lan.balders.ca:3100/loki/api/v1/push
|
||||
alloy_prom_job: node_lxc
|
||||
alloy_prom_group: lxc
|
||||
alloy_prom_hostname: dawarich
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Dawarich — self-hosted location history
|
||||
# ------------------------------------------------------------------------------
|
||||
# Pin image tags (Dawarich ships breaking schema changes on minor bumps). Bump
|
||||
# in lockstep across app + sidekiq, never split — they share the same DB
|
||||
# migrations. Check release notes before bumping.
|
||||
# Pinned tag — OIDC support first landed in 1.7.8 (2026-05-16). DO NOT
|
||||
# downgrade below 1.7.8 without disabling OIDC. Bump in lockstep with sidekiq.
|
||||
dawarich_image: "freikin/dawarich:1.7.11"
|
||||
# Official PostGIS image — alpine variant. Strict superset of postgres:16-alpine
|
||||
# so swapping to it later (if we ever centralize on DB VM) is non-breaking.
|
||||
postgis_image: "postgis/postgis:16-3.4-alpine"
|
||||
redis_image: "redis:7-alpine"
|
||||
|
||||
dawarich_port: 3000
|
||||
dawarich_site_url: "https://dawarich.balders.ca"
|
||||
dawarich_domain: "dawarich.balders.ca"
|
||||
|
||||
# Database (local — central DB VM doesn't load PostGIS extension; see memory
|
||||
# project_dawarich for the convention exception rationale).
|
||||
dawarich_db_name: "dawarich"
|
||||
dawarich_db_user: "dawarich"
|
||||
|
||||
# Background processing — keep modest to leave headroom for the web tier.
|
||||
# Dawarich docs default 5; bump cautiously if Sidekiq queue depth grows.
|
||||
dawarich_sidekiq_concurrency: 5
|
||||
|
||||
# Geocoding — disabled in v1. Dawarich falls back to its internal lightweight
|
||||
# lookup. Self-hosted Photon stack is a future addition; uncomment + set host
|
||||
# when wired.
|
||||
# dawarich_photon_api_host: "photon.lan.balders.ca"
|
||||
|
||||
# OIDC via Authentik. Client id/secret live in Infisical /oidc/ (pushed into
|
||||
# Authentik by homelab-ansible-pi-auth's oidc_clients role).
|
||||
dawarich_oidc_enabled: true
|
||||
dawarich_oidc_issuer: "https://auth.balders.ca/application/o/dawarich/"
|
||||
dawarich_oidc_redirect_uri: "https://dawarich.balders.ca/users/auth/openid_connect/callback"
|
||||
dawarich_oidc_provider_name: "Authentik"
|
||||
# false → only OIDC users can sign in (we want SSO-only). First OIDC login
|
||||
# becomes the canonical user account.
|
||||
dawarich_allow_email_password_registration: false
|
||||
dawarich_oidc_auto_register: true
|
||||
|
||||
# Infisical (secrets source)
|
||||
infisical_url: "https://secrets.balders.ca"
|
||||
infisical_project_id: "50062d7c-06ff-4d5c-8ca3-6c0cdba9f270"
|
||||
infisical_client_id: "828d2cc8-eb25-4b1e-a711-c9a4b1580106"
|
||||
infisical_client_secret: "{{ vault_infisical_client_secret }}"
|
||||
Reference in New Issue
Block a user