Add Antigravity Rules, implement them in existing config (#8)

* feat: add repository rules and update README

* fix(monitoring): pin images, isolate dbs

Author: geeksbsmrt

.antigravity/rules.md

@@ -0,0 +1,65 @@
+# Repository Rules: RaspberryPi
+
+This file defines the standards and requirements for the `geeksbsmrt/RaspberryPi` home lab repository.
+
+## 1. Technical Stack
+
+- **Primary Scripting**: Bash (.sh) is the preferred language for orchestration and local maintenance.
+- **Orchestration**: Docker Compose for service management.
+- **Excluded**: PowerShell 7 and .NET/C# are discouraged for this repository unless explicitly requested.
+
+## 2. Networking & IP Management
+
+The environment primarily uses the `192.168.254.0/24` range for Docker containers within the broader `192.168.0.0/16` home network.
+
+### Allocation Strategy
+
+- **Public Services**: Internet-routable through Caddy. Assigned from the **bottom** of the macvlan range (e.g., `.1`, `.2`, `.3`...).
+- **Internal Services**: Databases, support services (e.g., Unbound). Assigned from the **top** of the macvlan range (e.g., `.254`, `.253`, `.252`...).
+
+### Network Isolation
+
+- **Rule**: Backend services (Databases, Redis, etc.) should use internal Docker bridge networks where possible. Only front-facing services (Caddy, Pi-hole) or those requiring direct subnet access should be exposed to the `macvlan` network.
+
+### Naming Conventions
+
+- **Variable**: `IP_SERVICE(_FUNCTION)` (e.g., `IP_PIHOLE`, `IP_UMAMI_DB`).
+- **Container**: Must be named for the service they provide.
+
+## 3. Secret Management
+
+- **Primary Source**: `secrets.sops.env` (Encrypted via SOPS/AGE).
+- **Secondary**: `docker/.env` (Local plaintext, derived from or kept in sync with SOPS).
+- **Requirement**: The following MUST be placed in both files and encrypted in the `.sops.env`:
+  - API keys, passwords, and tokens.
+  - **Internal IP addresses** (any IP within the `192.168.0.0/16` range).
+- **Rule**: Never commit `docker/.env` directly to Git.
+
+## 4. Security & Industry Standards
+
+To ensure the home lab remains secure and stable, the following standards apply:
+
+### Container Security
+
+- **Image Pinning**: Avoid `:latest` or `:alpine` tags without a version number. All images must be pinned to a specific version (e.g., `image: postgres:16.1-alpine`).
+- **Least-Privilege**: Containers should run as non-root users (`user: "1000:1000"`) where compatible.
+- **Healthchecks**: Every service in `docker-compose.yml` must include a functional `healthcheck`.
+- **Logging Configuration**: Limit log sizes to prevent disk exhaustion (e.g., `max-size: "10m"`, `max-file: "3"`).
+
+### Data Persistence
+
+- **Standard**: Persistent data volumes should be mapped to a standard path (e.g., `./data/service_name`) or clearly organized within the service directory to simplify backups.
+
+### Quality Control
+
+- **Linting**: All `docker-compose.yml` and `sh` files must pass `hadolint` and `shellcheck` via pre-commit hooks.
+- **Secret Scanning**: Pre-commit hooks must be active to prevent plaintext leakages.
+
+## 5. Operational Workflow
+
+- **Git-First Deployment**: All changes MUST be committed to the repository. Deployment is handled by GitHub Actions (`deploy-prod.yaml`).
+- **Emergency Exception (Hotfix)**:
+  - In a "Service Down" situation, manual fixes may be applied to the live instance **ONLY after explicit USER permission**.
+  - Once verified, changes **MUST** be immediately committed to Git.
+- **Idempotency**: All setup scripts must be safe to run multiple times.
+- **Documentation**: Maintain `ReadMe.md` parity with cluster changes.

ReadMe.md

@@ -5,12 +5,14 @@
 This repository contains configuration files and resources for setting up and managing a Raspberry Pi-based home lab environment. It leverages tools like Docker, pre-commit hooks, and encrypted secrets management to ensure a secure and maintainable setup.
 
 ## Features
+
 - Dockerized Services: Containerized applications for easy deployment and scalability.
 - Pre-commit Hooks: Automated code quality checks to maintain code standards.
 - Encrypted Secrets Management: Secure handling of sensitive information using SOPS.
 - CI/CD Workflows: Automated workflows for testing and deployment.
 
 ## Repository Structure
+
 ```plaintext
 .github/workflows/       # GitHub Actions workflows for CI/CD
 .gitignore               # Specifies files to ignore in Git

docker/docker-compose.yml

@@ -1,38 +1,33 @@
 services:
   cloudflare_ddns:
-    image: favonia/cloudflare-ddns:latest # This is the official image, it supports ARM64
+    image: favonia/cloudflare-ddns:1.15.0
     container_name: cloudflare_ddns
     hostname: cloudflare_ddns
     restart: unless-stopped
     environment:
-      # --- Cloudflare Credentials ---
       - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
-
-      # --- Domains to Update ---
       - DOMAINS=${CF_DDNS_DOMAINS}
-
-      # --- Other Settings ---
       - PROXIED=${CF_DDNS_PROXIED}
       - UPDATE_CRON=@every 5m
       - IP6_PROVIDER=none
       - TZ="America/New_York"
 
   pihole:
     container_name: pihole
-    image: pihole/pihole:latest
+    image: pihole/pihole:2026.02.0
     hostname: pihole
     networks:
       macvlan:
         ipv4_address: ${IP_PIHOLE}
-      pihole_bridge: {}
+      backend_net: {}
     ports:
       - "53:53/tcp"
       - "53:53/udp"
     environment:
       TZ: "America/New_York"
       FTLCONF_webserver_api_password: ${PIHOLE_UI_PASSWORD}
       FTLCONF_dns_listeningMode: "all"
-      FTLCONF_dns_upstreams: "${IP_UNBOUND}" # Uses Unbound's parameterized IP
+      FTLCONF_dns_upstreams: "${IP_UNBOUND}"
       FTLCONF_dhcp_active: "true"
       FTLCONF_dhcp_start: "${PIHOLE_DHCP_START}"
       FTLCONF_dhcp_end: "${PIHOLE_DHCP_END}"
@@ -54,7 +49,7 @@ services:
 
   unbound:
     container_name: unbound
-    image: "mvance/unbound-rpi:latest"
+    image: "mvance/unbound-rpi:1.22"
     hostname: unbound
     command: >
       sh -c "
@@ -84,7 +79,7 @@ services:
   caddy:
     container_name: caddy
     hostname: caddy
-    image: ghcr.io/caddybuilds/caddy-cloudflare:latest
+    image: ghcr.io/caddybuilds/caddy-cloudflare:2.10.2
     restart: unless-stopped
     logging:
       driver: "json-file"
@@ -94,6 +89,7 @@ services:
     networks:
       macvlan:
         ipv4_address: ${IP_CADDY}
+      backend_net: {}
     volumes:
       - ./caddy/Caddyfile:/etc/caddy/Caddyfile
       - ./caddy/error-pages:/opt/caddy-error-pages:ro
@@ -122,13 +118,12 @@ services:
       start_period: 30s
 
   umami_db:
-    image: postgres:alpine
+    image: postgres:17-alpine
     container_name: umami_db
     hostname: umami_db
     restart: unless-stopped
     networks:
-      macvlan:
-        ipv4_address: ${IP_UMAMI_DB}
+      backend_net: {}
     volumes:
       - umami_db_data:/var/lib/postgresql/data
     environment:
@@ -142,18 +137,19 @@ services:
       retries: 5
 
   umami_app:
-    image: docker.umami.is/umami-software/umami:postgresql-latest
+    image: ghcr.io/umami-software/umami:postgresql-3.0.3
     container_name: umami_app
     hostname: umami_app
     restart: unless-stopped
     networks:
       macvlan:
         ipv4_address: ${IP_UMAMI_APP}
+      backend_net: {}
     depends_on:
       umami_db:
         condition: service_healthy
     environment:
-      DATABASE_URL: postgresql://${UMAMI_DB_USER}:${UMAMI_DB_PASSWORD}@${IP_UMAMI_DB}:5432/${UMAMI_DB_NAME} # Uses Umami DB's parameterized IP
+      DATABASE_URL: postgresql://${UMAMI_DB_USER}:${UMAMI_DB_PASSWORD}@umami_db:5432/${UMAMI_DB_NAME}
       DATABASE_TYPE: postgresql
       APP_SECRET: ${UMAMI_APP_SECRET}
       IGNORE_IP: ${UMAMI_IGNORE_IP}
@@ -169,9 +165,8 @@ services:
       retries: 3
       start_period: 30s
 
-  # --- Monitoring Services ---
   prometheus:
-    image: prom/prometheus:latest
+    image: prom/prometheus:v3.9.1
     container_name: prometheus
     hostname: prometheus
     restart: unless-stopped
@@ -186,6 +181,7 @@ services:
     networks:
       macvlan:
         ipv4_address: ${IP_PROMETHEUS}
+      backend_net: {}
     healthcheck:
       test:
         [
@@ -198,7 +194,7 @@ services:
       start_period: 30s
 
   grafana:
-    image: grafana/grafana-oss:latest
+    image: grafana/grafana-oss:12.1.0
     container_name: grafana
     hostname: grafana
     restart: unless-stopped
@@ -213,6 +209,7 @@ services:
     networks:
       macvlan:
         ipv4_address: ${IP_GRAFANA}
+      backend_net: {}
     healthcheck:
       test:
         [
@@ -225,7 +222,7 @@ services:
       start_period: 30s
 
   rpi_node_exporter:
-    image: prom/node-exporter:latest
+    image: prom/node-exporter:v1.8.2
     container_name: rpi_node_exporter
     hostname: rpi_node_exporter
     restart: unless-stopped
@@ -252,11 +249,10 @@ services:
       start_period: 30s
 
   cadvisor:
-    image: gcr.io/cadvisor/cadvisor:latest
+    image: gcr.io/cadvisor/cadvisor:v0.56.2
     container_name: cadvisor
     hostname: cadvisor
     restart: unless-stopped
-    # privileged: true
     devices:
       - /dev/kmsg:/dev/kmsg
     volumes:
@@ -267,9 +263,10 @@ services:
     networks:
       macvlan:
         ipv4_address: ${IP_CADVISOR}
+      backend_net: {}
 
   blackbox_exporter:
-    image: prom/blackbox-exporter:latest
+    image: prom/blackbox-exporter:v0.28.0
     container_name: blackbox
     hostname: blackbox
     restart: unless-stopped
@@ -280,6 +277,7 @@ services:
     networks:
       macvlan:
         ipv4_address: ${IP_BLACKBOX}
+      backend_net: {}
     healthcheck:
       test:
         [
@@ -292,7 +290,7 @@ services:
       start_period: 30s
 
   uptime_kuma:
-    image: louislam/uptime-kuma:latest
+    image: louislam/uptime-kuma:2.1.0
     container_name: uptime_kuma
     hostname: uptime_kuma
     restart: unless-stopped
@@ -304,6 +302,7 @@ services:
     networks:
       macvlan:
         ipv4_address: ${IP_UPTIME_KUMA}
+      backend_net: {}
 
 volumes:
   caddy_data:
@@ -314,7 +313,7 @@ volumes:
   umami_db_data:
 
 networks:
-  pihole_bridge:
+  backend_net:
     driver: bridge
   macvlan:
     name: pi0vlan

docker/grafana/provisioning/datasources/datasources.yaml

@@ -0,0 +1,9 @@
+apiVersion: 1
+
+datasources:
+  - name: Prometheus
+    type: prometheus
+    access: proxy
+    url: http://prometheus:9090
+    isDefault: true
+    editable: true

docker/prometheus/config/prometheus.yml.template

@@ -1,24 +1,24 @@
-# ./docker/prometheus/config/prometheus.yml.template
+# ./docker/data/prometheus/config/prometheus.yml.template
 global:
   scrape_interval: 30s
   evaluation_interval: 30s
 
 scrape_configs:
-  - job_name: 'prometheus_self' # Renamed for clarity from 'self'
+  - job_name: 'prometheus_self'
     static_configs:
-      - targets: ['${IP_PROMETHEUS}:9090']
+      - targets: ['prometheus:9090']
 
   - job_name: 'rpi_node_exporter'
     static_configs:
-      - targets: ['${IP_PI_HOST}:9100'] # Using variable for Pi Host IP
+      - targets: ['${IP_PI_HOST}:9100']
 
   - job_name: 'docker_cadvisor'
     static_configs:
-      - targets: ['${IP_CADVISOR}:8080']
+      - targets: ['cadvisor:8080']
 
-  - job_name: 'caddy_metrics' # Renamed for clarity from 'caddy'
+  - job_name: 'caddy_metrics'
     static_configs:
-      - targets: ['${IP_CADDY}:2019']
+      - targets: ['caddy:2019']
     metrics_path: /metrics
 
   - job_name: 'website_and_http_checks'
@@ -30,27 +30,27 @@ scrape_configs:
         - https://geeksbsmrt.com
         - https://smrtgeekdevs.com
         - https://pihole.smrtgeekdevs.com
-        - http://${IP_PIHOLE}/admin/ # Using variable for Pi-hole IP
+        - http://pihole/admin/
     relabel_configs:
       - source_labels: [__address__]
         target_label: __param_target
       - source_labels: [__param_target]
         target_label: instance
       - target_label: __address__
-        replacement: ${IP_BLACKBOX}:9115 # Blackbox Exporter's MacVlan IP
+        replacement: blackbox:9115
 
   - job_name: 'dns_service_checks'
     metrics_path: /probe
     params:
-      module: [dns_probe] # From your blackbox.yml
+      module: [dns_probe]
     static_configs:
       - targets:
-        - '${IP_PIHOLE}:53'    # Pi-hole DNS using variable
-        - '${IP_UNBOUND}:53' # Unbound DNS using variable
+        - 'pihole:53'
+        - 'unbound:53'
     relabel_configs:
       - source_labels: [__address__]
         target_label: __param_target
       - source_labels: [__param_target]
         target_label: instance
       - target_label: __address__
-        replacement: ${IP_BLACKBOX}:9115  # Blackbox Exporter's MacVlan IP
+        replacement: blackbox:9115

secrets.sops.env

@@ -21,7 +21,7 @@ UMAMI_DB_PASSWORD=ENC[AES256_GCM,data:4bQhEPIXYL2TTZ44uv08E9jtLffXEIpnZnPLRFfeRN
 UMAMI_DB_NAME=ENC[AES256_GCM,data:1+2NS6UT6A==,iv:kAVNAT1jcHU00t2MyziklXjAUfWf+Ln/Whj1JFmFwog=,tag:fbKzHkzJ8vrmvP0pe/4PTQ==,type:str]
 UMAMI_APP_SECRET=ENC[AES256_GCM,data:eXzliwppSd9PIXCTiPO4duEiG7RGuIdJ4jq1QvaQpVmRrcJWxtp46f6kMU7T2oIUMqm1yqfDwG1mx6hha8ShVKoW,iv:6+tpBYvBUym7dNaGoi+zLVgHpDTKEzC2FgTZVoK0/bQ=,tag:4Oqm/1/PiYEyVc3LFvYYDw==,type:str]
 UMAMI_IGNORE_IP=ENC[AES256_GCM,data:p3EkeLHf5I/R3Poy8nqfxJ6YryXEufAyi4MwV27P,iv:u/CWZQElilijNSi+YnH+Ldo67cTjKaDqD6UlpEHWynI=,tag:x63EZ9KtxH3crTHAi+aiMQ==,type:str]
-#ENC[AES256_GCM,data:O4ErD6Yu6ciYYcQ=,iv:GyzrQXolGb8PPxOVRPePXpuacXvzILqdo3lLSt6ZL9s=,tag:Rc5o9vaLIwQbMD78LjeMyQ==,type:comment]
+#ENC[AES256_GCM,data:BwT7te5gQbmFgXI=,iv:jJ+B6i+bRY9+bRJUxBb3I0NqFgb+98lnFcBHnEkfOyw=,tag:0yz0oRz6SAEF6oiwrhj8CA==,type:comment]
 #ENC[AES256_GCM,data:/zJ6SW4mtPWwZMaqb53S0N9+O+TOP90=,iv:fN+ZjgvMtUZVieejn51qN9Cav0mSrMU1yzlrRpZaO9I=,tag:Gq2YNpFH/1v5Pkvp9HrETA==,type:comment]
 MACVLAN_PARENT_INTERFACE=ENC[AES256_GCM,data:Oc0mSc4P,iv:BF7SM4BHwaVaGtPnJQwrWtTbNszKd+hlCXTXVFjfoGo=,tag:QZuECgcnq4CwCLCxnGNSdA==,type:str]
 MACVLAN_SUBNET=ENC[AES256_GCM,data:wQiY9j+F+oOcUO3St7PijQ==,iv:b6pgj5RWmfPHngcuremdxgew6Zl4UL1iVVa3NCSlwu0=,tag:IUOb+5FHLwkrTuEwpjc/iA==,type:str]
@@ -33,7 +33,6 @@ IP_PI_HOST=ENC[AES256_GCM,data:bxr2Pvm4fCj6tBJyMA==,iv:q7eso5ZTooNM6nbAsOR1fi0q8
 IP_PIHOLE=ENC[AES256_GCM,data:FSa60PLQOZdyc41CsIWr,iv:UcDZPGLLfJqXm/FJzETRKM0U8lCE0lm9qQvyh8Cm+wc=,tag:nqx2ZImDgePjy6PsuzKDqg==,type:str]
 IP_UNBOUND=ENC[AES256_GCM,data:cwz2e1melJmtFMQ3O98/P/8=,iv:3tIeSw0WYAKQG6MuoXw9/U/xBkXLSpjkOUjEu6TV6Ts=,tag:EwMw4H9o1UT8xPbI0T5wYA==,type:str]
 IP_CADDY=ENC[AES256_GCM,data:hn0w+klRJE1ER6RfuoKd,iv:+d3Bv5I8ULfrofT+47Mh/TPVR+GOoCH6OH5GXTLQtEk=,tag:HGz97ePJw41RyHADe7swtg==,type:str]
-IP_UMAMI_DB=ENC[AES256_GCM,data:uWVRMxJFTZze1dqYfXHb,iv:HHbkWb424OvMK4+TNP6SqnX6Kg9vEk62IrE+FS4ILuU=,tag:/32CShU1QEuZUSNNCynK3Q==,type:str]
 IP_UMAMI_APP=ENC[AES256_GCM,data:nEY5/dFflGdseQnO39zd,iv:nIwXDisLj2ok1PQTm7S7sXeUF3mpMptOFYWWTelijXc=,tag:bTFIZ5C/kLFh9ZwOsHxZnQ==,type:str]
 IP_PROMETHEUS=ENC[AES256_GCM,data:fXuw5TtzH2jWWzD/SnvQlYo=,iv:CLn2JAtWcOnJUsigPWDswnzxcLcfXub/amnuqhHXhwY=,tag:hSp+vaEhrbtXQ1QQWRNFiw==,type:str]
 IP_GRAFANA=ENC[AES256_GCM,data:W3VPCahG9n3/i9320FY+0pU=,iv:LugJLyNrcuPvVD8GwSYvLQt89El4KVglCmCwW/HA4kM=,tag:hBElnJdU4NPvSFHJNDb4wg==,type:str]
@@ -44,7 +43,7 @@ sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb2
 sops_age__list_0__map_recipient=age13pmf2jna228g9n780j7tl63qdws4gdll36rtuvk74nld5pet543q5ch3wf
 sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3VDZzb0IvcXAvcWpRY2pK\nL0txc3ZNVFhSN0NJVCswL05LWHhudHl2eGdZCm9JLy9BNlJrdFVsNlM4WmxNNXdY\nVW1pK3AxOVJvTW1SRWNRUTVUT1BseUEKLS0tIGhXTDE3eG9ucnVuY3dsTW1tbUZq\nTWszMjNwVFA1dUxTaTNUbWRvTkJmWUEKr+qniEgTJ5mBQ0wHGxlMQnj3zNWBdkHZ\nlbpdEQbWsSKAdtPvnKvW//A4gUueemGrTHTBkpiAR8svW5JVlpEImw==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_1__map_recipient=age1ryc8jh6xye29kgaxqwy57n7qunxak5w8kdtpgk0lwwjuh3w2gywsha6ja2
-sops_lastmodified=2026-02-19T03:21:57Z
-sops_mac=ENC[AES256_GCM,data:ep+4OHLV1CH9weZGlg6f4si+woDIC0N46IFKenDADWweaky+A0ijJMWGGkAtrSRysZkDMDyThCBGcxmrct0V0jtFBMq77Ug1vHAA5N1g+eGkoFClsQe2cy0RgQ+Srq5FfRu67Mx9LS+XYUC4fMqqirxIqiLDkLW05z+Vz69Br94=,iv:RO4knUgDq+JOfjNjsPpFEdsTnVUziXbLmoO0UTrvWbw=,tag:Ye7D68K9YW0bXjYqN17Jgw==,type:str]
+sops_lastmodified=2026-02-21T02:20:36Z
+sops_mac=ENC[AES256_GCM,data:FokRAhjVCcMmuysMQ9Va5/IN1JAai1Uj9wyYyxfI4PAkRRg3o+bjKy6sCRpAUzSbJGfYtlaZEzimFBNeZMDo8bUlAv7Me9OyieixaUkre3HzCZH6v2cwBziJTYMnVkLS157okzZh+UcehLnmPnPkzUIdmCoLND8a36rTwaTDcO4=,iv:QZFgQqy8GFQVbnXHXsElvOUEMX0PDtif9db9s41ocds=,tag:GgKix8hG/KQVbRRZnyOx1g==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.11.0