feat: Sparky fitness

ansible/inventories/group_vars/all/app_disks.yml

@@ -20,3 +20,12 @@ app_data_disks:
     disk_id: scsi1
     mount_point: /data/trek
     device: /dev/sdb
+  forgejo:
+    vm: apps-1
+    vmid: 430
+    node: yunobo
+    size: "50"
+    storage: nvme-2tb
+    disk_id: scsi2
+    mount_point: /data/forgejo
+    device: /dev/sdc

ansible/inventories/group_vars/all/main.yml

@@ -97,6 +97,11 @@ auto_configure_traefik:
     host: "10.0.2.21"
     port: 3000
     internal: true
+  jellyfin:
+    subdomain: "jellyfin"
+    host: "10.0.2.11"
+    port: 8096
+    internal: true
 
   vaultwarden:
     subdomain: "pwds"
@@ -138,6 +143,11 @@ auto_configure_traefik:
     host: "10.0.2.28"
     port: 3000
     internal: false
+  forgejo:
+    subdomain: "git"
+    host: "10.0.4.30"
+    port: 8086
+    internal: false
   immich:
     subdomain: "immich"
     host: "10.0.2.18"
@@ -219,7 +229,7 @@ auto_configure_traefik:
     subdomain: "wealth"
     host: "10.0.2.40"
     port: 8088
-    internal: true
+    internal: false
   trek:
     subdomain: "trips"
     host: "10.0.4.30"
@@ -235,6 +245,12 @@ auto_configure_traefik:
     host: "10.0.4.30"
     port: 3000
     internal: true
+  kvm:
+    subdomain: "kvm"
+    host: "10.0.3.1"
+    port: 80
+    internal: true
+    forward_https: true
 
 # Auth services configuration
 pocketid_host: 10.0.4.10

ansible/playbooks/configure_vms.yml

@@ -36,6 +36,7 @@
     - docker
     - komodo-periphery
     - trek
+    - forgejo
 
 - hosts: apps-2
   become: yes

ansible/roles/forgejo/tasks/main.yml

@@ -0,0 +1,53 @@
+---
+- name: Add data disk to VM for forgejo
+  community.proxmox.proxmox_disk:
+    api_host: "{{ proxmox_api_host }}"
+    api_user: "{{ proxmox_api_user }}"
+    api_token_id: "{{ proxmox_api_token_id }}"
+    api_token_secret: "{{ proxmox_api_token_secret }}"
+    vmid: "{{ app_data_disks.forgejo.vmid }}"
+    disk: "{{ app_data_disks.forgejo.disk_id }}"
+    storage: "{{ app_data_disks.forgejo.storage }}"
+    size: "{{ app_data_disks.forgejo.size }}"
+    state: present
+  delegate_to: localhost
+  become: no
+  run_once: true
+  ignore_errors: yes
+  register: disk_result
+
+- name: Display disk creation result
+  debug:
+    var: disk_result
+
+- name: Wait for data disk to be available
+  wait_for:
+    path: "{{ app_data_disks.forgejo.device }}"
+    state: present
+    timeout: 30
+
+- name: Check if data disk is formatted
+  command: "blkid {{ app_data_disks.forgejo.device }}"
+  register: disk_formatted
+  failed_when: false
+  changed_when: false
+
+- name: Format data disk with ext4
+  filesystem:
+    fstype: ext4
+    dev: "{{ app_data_disks.forgejo.device }}"
+  when: disk_formatted.rc != 0
+
+- name: Create forgejo data mount point
+  file:
+    path: "{{ app_data_disks.forgejo.mount_point }}"
+    state: directory
+    mode: "0755"
+
+- name: Mount data disk
+  mount:
+    path: "{{ app_data_disks.forgejo.mount_point }}"
+    src: "{{ app_data_disks.forgejo.device }}"
+    fstype: ext4
+    state: mounted
+    opts: defaults

docker-compose/apps-1/dahua-to-mqtt/.env

@@ -1,9 +0,0 @@
-DAHUA_VTO_HOST=192.168.1.100
-DAHUA_VTO_USERNAME=admin
-DAHUA_VTO_PASSWORD=admin1234
-MQTT_BROKER_HOST=10.0.2.100
-MQTT_BROKER_PORT=1883
-MQTT_BROKER_USERNAME=lino
-MQTT_BROKER_TOPIC_PREFIX=DahuaVTO
-MQTT_BROKER_CLIENT_ID=DahuaVTO2MQTT
-DEBUG=False

docker-compose/apps-1/forgejo/compose.yaml

@@ -0,0 +1,38 @@
+services:
+  server:
+    image: codeberg.org/forgejo/forgejo:15
+    container_name: forgejo
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+    restart: always
+    volumes:
+      - /data/forgejo:/data
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "8086:3000"
+      - "222:22"
+
+  docker-in-docker:
+    image: docker:dind
+    container_name: "docker_dind"
+    privileged: "true"
+    command: ["dockerd", "-H", "tcp://0.0.0.0:2375", "--tls=false"]
+    restart: "unless-stopped"
+
+  runner:
+    image: "data.forgejo.org/forgejo/runner:12"
+    links:
+      - docker-in-docker
+    depends_on:
+      docker-in-docker:
+        condition: service_started
+    container_name: "runner"
+    environment:
+      DOCKER_HOST: tcp://docker-in-docker:2375
+    # User without root privileges, but with access to `./data`.
+    user: 1001:1001
+    volumes:
+      - /data/forgejo/runner:/data
+    restart: "unless-stopped"
+    command: "forgejo-runner daemon --config /data/runner-config.yml"

docker-compose/apps-1/homelable/.env

@@ -1,14 +0,0 @@
-# Backend - server-side only (NEVER commit .env)
-SQLITE_PATH=/data/homelab.db
-# Set this to the URL(s) you use to access Homelable in your browser.
-CORS_ORIGINS=["http://localhost:5173","http://localhost:3000","https://infra.lino.cooking"]
-
-AUTH_USERNAME=admin
-
-# Scanner — JSON array of CIDR ranges to scan
-SCANNER_RANGES=["192.168.1.0/24", "10.0.0.0/21"]
-
-# Status checker interval in seconds
-STATUS_CHECKER_INTERVAL=60
-
-LIVEVIEW_KEY=avlS0EW5im0ry9xF2gtJsDxhInef3iJbW7Ix396rOO0

docker-compose/apps-1/price-tracker/compose.yaml

@@ -1,6 +1,6 @@
 services:
   webserver:
-    image: gitea.lino.cooking/lino/bpi-stock-price-scraper:latest
+    image: git.lino.cooking/lino/bpi-stock-price-scraper:latest
     container_name: price-tracker
     ports:
       - "3000:3000"

docker-compose/apps-1/sparky-fitness/.env

@@ -0,0 +1,210 @@
+# SparkyFitness Environment Variables
+# Copy this file to .env in the root directory and fill in your own values before running 'docker-compose up'.
+
+# --- PostgreSQL Database Settings ---
+# These values should match the ones used by your PostgreSQL container.
+# For local development (running Node.js directly), use 'localhost' or '127.0.0.1' if PostgreSQL is on your host.
+SPARKY_FITNESS_DB_NAME=sparkyfitness_db
+#SPARKY_FITNESS_DB_USER is super user for DB initialization and migrations.
+SPARKY_FITNESS_DB_USER=sparky
+SPARKY_FITNESS_DB_PASSWORD=changeme_db_password
+# Application database user with limited privileges. it can be changed any time after initialization.
+SPARKY_FITNESS_APP_DB_USER=sparky_app
+SPARKY_FITNESS_APP_DB_PASSWORD=password
+
+# For Docker Compose deployments, SPARKY_FITNESS_DB_HOST will be the service name (e.g., 'sparkyfitness-db').
+#SPARKY_FITNESS_DB_HOST=sparkyfitness-db
+
+# SPARKY_FITNESS_DB_PORT controls the HOST port for external database access (e.g., pgAdmin, DBeaver).
+# To use this, you must also uncomment the 'ports' section under sparkyfitness-db in docker-compose.prod.yml.
+# Inside Docker, containers always communicate on port 5432 (the internal PostgreSQL port).
+# Changing this value will NOT affect container-to-container communication.
+#SPARKY_FITNESS_DB_PORT=5432
+
+# --- Backend Server Settings ---
+# The hostname or IP address of the backend server.
+# For Docker Compose, this is typically the service name (e.g., 'sparkyfitness-server').
+# For local development or other deployments, this might be 'localhost' or a specific IP.
+SPARKY_FITNESS_SERVER_HOST=sparkyfitness-server
+# The external port the server will be exposed on.
+SPARKY_FITNESS_SERVER_PORT=3010
+
+
+
+# The public URL of your frontend (e.g., https://fitness.example.com). This is crucial for CORS security.
+# For local development, use http://localhost:8080. For production, use your domain with https.
+SPARKY_FITNESS_FRONTEND_URL=http://localhost:3004
+
+
+# Allow CORS requests from private network addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, localhost, etc.)
+# SECURITY WARNING: Only enable this if you are running on a private/self-hosted network.
+# Do NOT enable on shared hosting or cloud environments where other users might access your network.
+# Default: false (secure default - only the configured SPARKY_FITNESS_FRONTEND_URL is allowed)
+#ALLOW_PRIVATE_NETWORK_CORS=false
+
+# A comma-separated list of additional URLs that Better Auth should trust.
+# This is useful when accessing the app from a specific local IP on your network.
+# Example: SPARKY_FITNESS_EXTRA_TRUSTED_ORIGINS=http://192.168.1.175:8080,http://10.0.0.5:8080
+# SPARKY_FITNESS_EXTRA_TRUSTED_ORIGINS=
+
+# Logging level for the server (e.g., INFO, DEBUG, WARN, ERROR)
+SPARKY_FITNESS_LOG_LEVEL=ERROR
+
+# Node.js environment mode (e.g., development, production, test)
+# Set to 'production' for deployment to ensure optimal performance and security.
+NODE_ENV=production
+
+# Server timezone. Use a TZ database name (e.g., 'America/New_York', 'Etc/UTC').
+# This affects how dates/times are handled by the server if not explicitly managed in code.
+TZ=Europe/Lisbon
+
+# --- Security Settings ---
+# A 64-character hex string for data encryption. 
+# You can generate a secure key with the following command:
+# openssl rand -hex 32
+# or 
+# node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+# Changing this will invalidate existing encrypted data. You will need to delete and add External Data sources again.
+SPARKY_FITNESS_API_ENCRYPTION_KEY=b65743a2f9946be8b7f14083f59183f26bc07c9d2d352a96b2d186a06907e111
+# For Docker Swarm/Kubernetes secrets, you can use a file-based secret:
+# SPARKY_FITNESS_API_ENCRYPTION_KEY_FILE=/run/secrets/sparkyfitness_api_key
+
+# BETTER_AUTH_SECRET is used to sign sessions and encrypt 2FA/TOTP data.
+# CRITICAL: If you change this after users have enabled 2FA, they will be LOCKED OUT of their accounts.
+# Ensure this is set to a strong, persistent value during initial setup and is never changed.
+# If you MUST change it, all users must disable Two-Factor Authentication (TOTP) first.
+BETTER_AUTH_SECRET=297f9b19e4f13b3ce45af8f1fcc8234264223b6c2052e1f51ea6869583325ecc
+# For Docker Swarm/Kubernetes secrets, you can use a file-based secret:
+# BETTER_AUTH_SECRET_FILE=/run/secrets/sparkyfitness_better_auth_secret
+
+# --- Signup Settings ---
+# Set to 'true' to disable new user registrations.
+SPARKY_FITNESS_DISABLE_SIGNUP=false
+
+# --- Admin Settings ---
+# Set the email of a user to automatically grant admin privileges on server startup.
+# This is useful for development or initial setup.
+# Example: SPARKY_FITNESS_ADMIN_EMAIL=admin@example.com
+# Optional. If not set, no admin user will be created automatically.
+SPARKY_FITNESS_ADMIN_EMAIL=sparkyfitness@lino.cooking
+
+# --- OIDC Authentication Configuration ---
+# Set to 'true' to disable email/password login on the login page (overridden by SPARKY_FITNESS_FORCE_EMAIL_LOGIN).
+SPARKY_FITNESS_DISABLE_EMAIL_LOGIN=true
+
+# Set to 'true' to enable OIDC login. When set, overrides the database value from Admin > Authentication Settings.
+SPARKY_FITNESS_OIDC_AUTH_ENABLED=true
+
+# Display name and provider slug (URL-safe id) for the ENV-configured OIDC provider.
+SPARKY_FITNESS_OIDC_PROVIDER_SLUG=pocket-id
+SPARKY_FITNESS_OIDC_PROVIDER_NAME=Pocket ID
+
+SPARKY_FITNESS_OIDC_AUTO_REGISTER=true
+SPARKY_FITNESS_OIDC_LOGO_URL=https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/pocket-id.svg
+
+# OIDC issuer URL (e.g. https://example.com). Discovery URL is derived as issuer + /.well-known/openid-configuration.
+# When set with CLIENT_ID, CLIENT_SECRET and PROVIDER_SLUG, an ENV-configured OIDC provider is upserted at startup.
+SPARKY_FITNESS_OIDC_ISSUER_URL=https://auth.lino.cooking/application/o/{{slug}}/
+
+# SPARKY_FITNESS_OIDC_DOMAIN=example.com
+
+# OIDC client credentials from your IdP.
+# SPARKY_FITNESS_OIDC_CLIENT_ID=
+# SPARKY_FITNESS_OIDC_CLIENT_SECRET=
+
+# SPARKY_FITNESS_OIDC_SCOPE=openid email profile
+
+# Set to 'true' to allow auto-redirect to the single OIDC provider when email login is disabled.
+SPARKY_FITNESS_OIDC_AUTO_REDIRECT=true
+
+# Group/claim values from your IdP for role mapping (admin vs user). Configure your IdP to send these in token claims.
+# SPARKY_FITNESS_OIDC_ADMIN_GROUP=Admin
+# --- Advanced OIDC Settings ---
+# SPARKY_FITNESS_OIDC_TOKEN_AUTH_METHOD=client_secret_post
+# SPARKY_FITNESS_OIDC_ID_TOKEN_SIGNED_ALG=RS256
+# SPARKY_FITNESS_OIDC_USERINFO_SIGNED_ALG=none
+# SPARKY_FITNESS_OIDC_TIMEOUT=30000
+
+# Set custom uploads and backups directory. Only needed for standalone installation
+# SPARKY_FITNESS_CUSTOM_UPLOADS_DIRECTORY=
+# SPARKY_FITNESS_CUSTOM_BACKUP_DIRECTORY=
+#
+# --- Login Management Fail-Safe ---
+# Set to 'true' to force email/password login to be enabled, overriding any in-app settings.
+# This is a fail-safe to prevent being locked out if OIDC is misconfigured.
+# SPARKY_FITNESS_FORCE_EMAIL_LOGIN=true
+
+# --- Email Settings (Optional) ---
+# Configure these variables if you want to enable email notifications (e.g., for password resets).
+# If not configured, email functionality will be disabled.
+# SPARKY_FITNESS_EMAIL_HOST=smtp.example.com
+# SPARKY_FITNESS_EMAIL_PORT=587
+# SPARKY_FITNESS_EMAIL_SECURE=true # Use 'true' for TLS/SSL, 'false' for plain text
+# SPARKY_FITNESS_EMAIL_USER=your_email@example.com
+# SPARKY_FITNESS_EMAIL_PASS=your_email_password
+# SPARKY_FITNESS_EMAIL_FROM=no-reply@example.com
+
+# --- Volume Paths (Optional) ---
+# These paths define where Docker volumes will store persistent data on your host.
+# If not set, Docker will manage volumes automatically in its default location.
+DB_PATH=/data/sparky-fitness/postgresql # Path for PostgreSQL database data
+SERVER_BACKUP_PATH=/data/sparky-fitness/backup # Path for server backups
+SERVER_UPLOADS_PATH=/data/sparky-fitness/uploads # Path for profile pictures and exercise images
+
+
+# --- API Key Rate Limiting (Optional) ---
+# Override the default rate limit for API key authentication (used by automation tools like n8n).
+# Defaults to 100 requests per 60-second window if not set.
+#SPARKY_FITNESS_API_KEY_RATELIMIT_WINDOW_MS=60000
+#SPARKY_FITNESS_API_KEY_RATELIMIT_MAX_REQUESTS=100
+
+# --- Start of Garmin Integration Settings ---
+#Below variables are needed only for Garmin integration. If you don't use Garmin integration, you can remove them in your .env file.
+
+
+# The URL for the Garmin microservice.
+# For Docker Compose, this would typically be the service name and port (e.g., 'http://sparkyfitness-garmin:8000').
+# For local development, use 'http://localhost:8000' or the port you've configured.
+
+# GARMIN_MICROSERVICE_URL=http://sparkyfitness-garmin:8000
+
+
+# This is used for Garmin Connect synchronization.
+# If you are not using Garmin integration, you don't need this. Make sure this matches with GARMIN_MICROSERVICE_URL.
+# GARMIN_SERVICE_PORT=8000
+
+# set to true for China region. Everything else should be false. Optional - defaults to false
+# GARMIN_SERVICE_IS_CN=false  
+
+# --- End of  Garmin Integration Settings ---
+
+
+
+# --- MCP Server Settings ---
+# The port the MCP server will listen on.
+# SPARKY_FITNESS_MCP_PORT=3001
+
+# Vision API Settings (for sparky_analyze_food_image and sparky_scan_label)
+# Supported providers: gemini, openai, anthropic
+# VISION_API_PROVIDER=gemini
+# VISION_API_KEY=
+
+# Set to 'true' to enable developer tools (e.g., sparky_inspect_schema)
+# Requires the authenticated user to have the 'admin' role.
+# DEV_TOOLS_ENABLED=false
+
+# ----- Developers Section -----
+# Data source for external integrations (fitbit, garmin, withings).
+# By default, these use live APIs. Set to 'local' to use mock data from the mock_data directory.
+# To use these variables, you will also need to pass to Server container. For Garmin, pass to Garmin container.
+
+#SPARKY_FITNESS_FITBIT_DATA_SOURCE=local
+#SPARKY_FITNESS_WITHINGS_DATA_SOURCE=local
+#SPARKY_FITNESS_GARMIN_DATA_SOURCE=local
+#SPARKY_FITNESS_POLAR_DATA_SOURCE=local
+#SPARKY_FITNESS_HEVY_DATA_SOURCE=local
+
+# Set to 'true' to capture live API responses into mock data JSON files. Defaults to false.
+#SPARKY_FITNESS_SAVE_MOCK_DATA=false
+
+#-----------------------------

docker-compose/apps-1/sparky-fitness/compose.yaml

@@ -0,0 +1,70 @@
+services:
+  sparkyfitness-db:
+    image: postgres:18.3-alpine
+    container_name: sparkyfitness-db
+    restart: always
+    # Uncomment below to expose PostgreSQL to the host (e.g., for pgAdmin, DBeaver).
+    # ports:
+    #   - "${SPARKY_FITNESS_DB_PORT:-5432}:5432"
+    environment:
+      POSTGRES_DB: ${SPARKY_FITNESS_DB_NAME:?Variable is required and must be set}
+      POSTGRES_USER: ${SPARKY_FITNESS_DB_USER:?Variable is required and must be set}
+      POSTGRES_PASSWORD: ${SPARKY_FITNESS_DB_PASSWORD:?Variable is required and must be set}
+      PUID: 1000
+      GUID: 1000
+    volumes:
+      - ${DB_PATH:-./postgresql}:/var/lib/postgresql
+
+  sparkyfitness-server:
+    image: codewithcj/sparkyfitness_server:latest # Use pre-built image
+    environment:
+      SPARKY_FITNESS_LOG_LEVEL: ${SPARKY_FITNESS_LOG_LEVEL}
+      ALLOW_PRIVATE_NETWORK_CORS: ${ALLOW_PRIVATE_NETWORK_CORS:-false}
+      SPARKY_FITNESS_EXTRA_TRUSTED_ORIGINS: ${SPARKY_FITNESS_EXTRA_TRUSTED_ORIGINS:-}
+      SPARKY_FITNESS_DB_USER: ${SPARKY_FITNESS_DB_USER:-sparky}
+      SPARKY_FITNESS_DB_HOST: ${SPARKY_FITNESS_DB_HOST:-sparkyfitness-db} # Use the service name 'sparkyfitness-db' for inter-container communication
+      SPARKY_FITNESS_DB_NAME: ${SPARKY_FITNESS_DB_NAME}
+      SPARKY_FITNESS_DB_PASSWORD: ${SPARKY_FITNESS_DB_PASSWORD:?Variable is required and must be set}
+      SPARKY_FITNESS_APP_DB_USER: ${SPARKY_FITNESS_APP_DB_USER:-sparkyapp}
+      SPARKY_FITNESS_APP_DB_PASSWORD: ${SPARKY_FITNESS_APP_DB_PASSWORD:?Variable is required and must be set}
+      SPARKY_FITNESS_DB_PORT: 5432 # Uses internal container port. Do NOT change this if SPARKY_FITNESS_DB_HOST is using container name.
+      SPARKY_FITNESS_API_ENCRYPTION_KEY: ${SPARKY_FITNESS_API_ENCRYPTION_KEY:?Variable is required and must be set}
+      # Uncomment the line below and comment the line above to use a file-based secret
+      # SPARKY_FITNESS_API_ENCRYPTION_KEY_FILE: /run/secrets/sparkyfitness_api_key
+
+      BETTER_AUTH_SECRET: ${BETTER_AUTH_SECRET:?Variable is required and must be set}
+      # Uncomment the line below and comment the line above to use a file-based secret
+      # BETTER_AUTH_SECRET_FILE: /run/secrets/sparkyfitness_better_auth_secret
+      SPARKY_FITNESS_FRONTEND_URL: ${SPARKY_FITNESS_FRONTEND_URL:-http://0.0.0.0:3004}
+      SPARKY_FITNESS_DISABLE_SIGNUP: ${SPARKY_FITNESS_DISABLE_SIGNUP}
+      SPARKY_FITNESS_ADMIN_EMAIL: ${SPARKY_FITNESS_ADMIN_EMAIL} #User with this email can access the admin panel
+      SPARKY_FITNESS_EMAIL_HOST: ${SPARKY_FITNESS_EMAIL_HOST}
+      SPARKY_FITNESS_EMAIL_PORT: ${SPARKY_FITNESS_EMAIL_PORT}
+      SPARKY_FITNESS_EMAIL_SECURE: ${SPARKY_FITNESS_EMAIL_SECURE}
+      SPARKY_FITNESS_EMAIL_USER: ${SPARKY_FITNESS_EMAIL_USER}
+      SPARKY_FITNESS_EMAIL_PASS: ${SPARKY_FITNESS_EMAIL_PASS}
+      SPARKY_FITNESS_EMAIL_FROM: ${SPARKY_FITNESS_EMAIL_FROM}
+      GARMIN_MICROSERVICE_URL: http://sparkyfitness-garmin:8000 # Add Garmin microservice URL
+      PUID: 1000
+      GUID: 1000
+    restart: always
+    depends_on:
+      - sparkyfitness-db # Backend depends on the database being available
+    volumes:
+      - ${SERVER_BACKUP_PATH:-./backup}:/app/SparkyFitnessServer/backup # Mount volume for backups
+      - ${SERVER_UPLOADS_PATH:-./uploads}:/app/SparkyFitnessServer/uploads # Mount volume for Profile pictures and excercise images
+
+  sparkyfitness-frontend:
+    image: codewithcj/sparkyfitness:latest # Use pre-built image
+    ports:
+      - "8087:80" # Map host port 8087 to container port 80 (Nginx)
+    environment:
+      SPARKY_FITNESS_FRONTEND_URL: ${SPARKY_FITNESS_FRONTEND_URL}
+      SPARKY_FITNESS_SERVER_HOST: sparkyfitness-server # Internal Docker service name for the backend
+      SPARKY_FITNESS_SERVER_PORT: 3010 # Port the backend server listens on
+      PUID: 1000
+      GUID: 1000
+    restart: always
+    depends_on:
+      - sparkyfitness-server # Frontend depends on the server
+      #- sparkyfitness-garmin # Frontend depends on Garmin microservice. Enable if you are using Garmin Connect features.