From 95bc4540db2526d1a389ce60eb6bf5ab6298aeb4 Mon Sep 17 00:00:00 2001
From: Menno van Leeuwen <menno@vleeuwen.me>
Date: Mon, 29 Sep 2025 01:21:41 +0200
Subject: [PATCH] Add SatHub service deployment with Docker Compose and
 configuration

---
 ansible/tasks/servers/dynamic-dns.yml         |   2 +-
 ansible/tasks/servers/server.yml              |   4 +
 .../tasks/servers/services/caddy/Caddyfile.j2 |  39 +++++++
 .../services/sathub/docker-compose.yml.j2     | 101 ++++++++++++++++++
 .../tasks/servers/services/sathub/sathub.yml  |  42 ++++++++
 flake.lock                                    |   6 +-
 6 files changed, 190 insertions(+), 4 deletions(-)
 create mode 100644 ansible/tasks/servers/services/sathub/docker-compose.yml.j2
 create mode 100644 ansible/tasks/servers/services/sathub/sathub.yml

diff --git a/ansible/tasks/servers/dynamic-dns.yml b/ansible/tasks/servers/dynamic-dns.yml
index 95fabd5..8675d75 100644
--- a/ansible/tasks/servers/dynamic-dns.yml
+++ b/ansible/tasks/servers/dynamic-dns.yml
@@ -18,7 +18,7 @@
           #!/bin/bash
 
           # Run dynamic DNS update (binary compiled by utils.yml)
-          {{ ansible_user_dir }}/.local/bin/dynamic-dns-cf -record "vleeuwen.me,mvl.sh,mennovanleeuwen.nl" 2>&1 | logger -t dynamic-dns
+          {{ ansible_user_dir }}/.local/bin/dynamic-dns-cf -record "vleeuwen.me,mvl.sh,mennovanleeuwen.nl,sathub.de,sathub.nl" 2>&1 | logger -t dynamic-dns
       become: true
 
     - name: Create dynamic DNS systemd timer
diff --git a/ansible/tasks/servers/server.yml b/ansible/tasks/servers/server.yml
index 0e1996a..e7324b7 100644
--- a/ansible/tasks/servers/server.yml
+++ b/ansible/tasks/servers/server.yml
@@ -155,3 +155,7 @@
         enabled: false
         hosts:
           - mennos-desktop
+      - name: sathub
+        enabled: true
+        hosts:
+          - mennos-desktop
diff --git a/ansible/tasks/servers/services/caddy/Caddyfile.j2 b/ansible/tasks/servers/services/caddy/Caddyfile.j2
index 43f4b9f..c507757 100644
--- a/ansible/tasks/servers/services/caddy/Caddyfile.j2
+++ b/ansible/tasks/servers/services/caddy/Caddyfile.j2
@@ -71,6 +71,45 @@ beszel.vleeuwen.me {
    tls {{ caddy_email }}
 }
 
+sathub.de {
+   import country_block
+
+   handle {
+       reverse_proxy sathub-frontend:4173
+   }
+
+   # Enable compression
+   encode gzip
+
+   # Security headers
+   header {
+       X-Frame-Options "SAMEORIGIN"
+       X-Content-Type-Options "nosniff"
+       X-XSS-Protection "1; mode=block"
+       Referrer-Policy "strict-origin-when-cross-origin"
+       Strict-Transport-Security "max-age=31536000; includeSubDomains"
+   }
+   tls {{ caddy_email }}
+}
+
+api.sathub.de {
+   import country_block
+   reverse_proxy sathub-backend:4001
+   tls {{ caddy_email }}
+}
+
+obj.sathub.de {
+   import country_block
+   reverse_proxy sathub-minio:9001
+   tls {{ caddy_email }}
+}
+
+sathub.nl {
+   import country_block
+   redir https://sathub.de{uri}
+   tls {{ caddy_email }}
+}
+
 photos.mvl.sh {
    import country_block
    reverse_proxy immich:2283
diff --git a/ansible/tasks/servers/services/sathub/docker-compose.yml.j2 b/ansible/tasks/servers/services/sathub/docker-compose.yml.j2
new file mode 100644
index 0000000..8708235
--- /dev/null
+++ b/ansible/tasks/servers/services/sathub/docker-compose.yml.j2
@@ -0,0 +1,101 @@
+services:
+  backend:
+    image: ghcr.io/vleeuwenmenno/sathub/backend:latest
+    container_name: sathub-backend
+    restart: unless-stopped
+    environment:
+      - GIN_MODE=release
+      - FRONTEND_URL=${FRONTEND_URL:-https://sathub.de}
+
+      # Database settings
+      - DB_TYPE=postgres
+      - DB_HOST=postgres
+      - DB_PORT=5432
+      - DB_USER=${DB_USER:-sathub}
+      - DB_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DB_PASSWORD') }}
+      - DB_NAME=${DB_NAME:-sathub}
+
+      # Security settings
+      - JWT_SECRET={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='JWT_SECRET') }}
+      - TWO_FA_ENCRYPTION_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='TWO_FA_ENCRYPTION_KEY') }}
+
+      # SMTP settings
+      - SMTP_HOST={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_HOST') }}
+      - SMTP_PORT={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_PORT') }}
+      - SMTP_USERNAME={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_USERNAME') }}
+      - SMTP_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_PASSWORD') }}
+      - SMTP_FROM_EMAIL={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_FROM_EMAIL') }}
+
+      # MinIO settings
+      - MINIO_ENDPOINT=http://minio:9000
+      - MINIO_BUCKET=sathub-images  
+      - MINIO_ACCESS_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_USER') }}
+      - MINIO_SECRET_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_PASSWORD') }}
+      - MINIO_EXTERNAL_URL=https://obj.sathub.de
+    networks:
+      - sathub
+      - caddy_network
+    depends_on:
+      - postgres
+
+  postgres:
+    image: postgres:15-alpine
+    container_name: sathub-postgres
+    restart: unless-stopped
+    environment:
+      - POSTGRES_USER=${DB_USER:-sathub}
+      - POSTGRES_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DB_PASSWORD') }}
+      - POSTGRES_DB=${DB_NAME:-sathub}
+    volumes:
+      - {{ sathub_data_dir }}/postgres:/var/lib/postgresql/data
+    networks:
+      - sathub
+
+  frontend:
+    image: ghcr.io/vleeuwenmenno/sathub/frontend:latest
+    container_name: sathub-frontend
+    restart: unless-stopped
+    environment:
+      - VITE_API_BASE_URL={{ frontend_api_base_url | default('https://api.sathub.de') }}
+      - VITE_ALLOWED_HOSTS={{ frontend_allowed_hosts | default('sathub.de,sathub.nl') }}
+    networks:
+      - sathub
+      - caddy_network
+
+  minio:
+    image: minio/minio
+    container_name: sathub-minio
+    restart: unless-stopped
+    environment:
+      - MINIO_ROOT_USER={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_USER') }}
+      - MINIO_ROOT_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_PASSWORD') }}
+    volumes:
+      - {{ sathub_data_dir }}/minio:/data
+    command: server /data --console-address :9001
+    networks:
+      - sathub
+      - caddy_network
+    depends_on:
+      - postgres
+
+  watchtower:
+    image: containrrr/watchtower:latest
+    container_name: sathub-watchtower
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - WATCHTOWER_CLEANUP=true
+      - WATCHTOWER_INCLUDE_STOPPED=false
+      - REPO_USER={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_USER') }}
+      - REPO_PASS={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_PAT') }}
+    command: --interval 30 --cleanup --include-stopped=false sathub-backend sathub-frontend
+    networks:
+      - sathub
+
+networks:
+  sathub:
+    driver: bridge
+  caddy_network:
+    external: true
+    name: caddy_default
diff --git a/ansible/tasks/servers/services/sathub/sathub.yml b/ansible/tasks/servers/services/sathub/sathub.yml
new file mode 100644
index 0000000..3df63a8
--- /dev/null
+++ b/ansible/tasks/servers/services/sathub/sathub.yml
@@ -0,0 +1,42 @@
+---
+- name: Deploy SatHub service
+  block:
+    - name: Set SatHub directories
+      ansible.builtin.set_fact:
+        sathub_service_dir: "{{ ansible_env.HOME }}/.services/sathub"
+        sathub_data_dir: "/mnt/services/sathub"
+
+    - name: Set SatHub frontend configuration
+      ansible.builtin.set_fact:
+        frontend_api_base_url: "https://api.sathub.de"
+        frontend_allowed_hosts: "sathub.de,sathub.nl"
+
+    - name: Create SatHub directory
+      ansible.builtin.file:
+        path: "{{ sathub_service_dir }}"
+        state: directory
+        mode: "0755"
+
+    - name: Create SatHub data directory
+      ansible.builtin.file:
+        path: "{{ sathub_data_dir }}"
+        state: directory
+        mode: "0755"
+
+    - name: Deploy SatHub docker-compose.yml
+      ansible.builtin.template:
+        src: docker-compose.yml.j2
+        dest: "{{ sathub_service_dir }}/docker-compose.yml"
+        mode: "0644"
+      register: sathub_compose
+
+    - name: Stop SatHub service
+      ansible.builtin.command: docker compose -f "{{ sathub_service_dir }}/docker-compose.yml" down --remove-orphans
+      when: sathub_compose.changed
+
+    - name: Start SatHub service
+      ansible.builtin.command: docker compose -f "{{ sathub_service_dir }}/docker-compose.yml" up -d
+      when: sathub_compose.changed
+  tags:
+    - services
+    - sathub
diff --git a/flake.lock b/flake.lock
index bd805b0..e8010d6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -41,11 +41,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1758589230,
-        "narHash": "sha256-zMTCFGe8aVGTEr2RqUi/QzC1nOIQ0N1HRsbqB4f646k=",
+        "lastModified": 1758791193,
+        "narHash": "sha256-F8WmEwFoHsnix7rt290R0rFXNJiMbClMZyIC/e+HYf0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d1d883129b193f0b495d75c148c2c3a7d95789a0",
+        "rev": "25e53aa156d47bad5082ff7618f5feb1f5e02d01",
         "type": "github"
       },
       "original": {