restoring backed up files

CLAUDE.local.md

@@ -0,0 +1,7 @@
+- the password for secrets.enc is in vault_pass
+- do not use the ansible-vault edit command
+- NEVER, EVER, EVER, USE, OPEN, OR TOUCH SECRETS.ENC
+- Whenever I talk about cron jobs I am referring to cron jobs on the remote servers managed by ansible, never the local machine
+- never use secrets.enc
+- all secrets go in vault.yml, never secrets.enc, never some random file you want to create, only ever vault.yml. you decrypt vault.yml with vault_pass
+- Never use ansible-vault edit. always decrypt, make the changes, then encrypt

roles/docker/tasks/monitoring/cronmaster.yml

@@ -0,0 +1,22 @@
+- name: make cronmaster directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+  loop:
+    - /opt/stacks/cronmaster
+    - /opt/stacks/cronmaster/scripts
+    - /opt/stacks/cronmaster/data
+    - /opt/stacks/cronmaster/snippets
+
+- name: Template out the compose file
+  ansible.builtin.template:
+    src: cronmaster-compose.yml.j2
+    dest: /opt/stacks/cronmaster/compose.yml
+    owner: root
+    mode: '0644'
+
+- name: deploy cronmaster stack
+  community.docker.docker_compose_v2:
+    project_src: /opt/stacks/cronmaster
+    files:
+      - compose.yml

roles/docker/tasks/monitoring/main.yml

@@ -15,4 +15,8 @@
 
 - name: Install gotify
   import_tasks: gotify.yml
-  tags: gotify
+  tags: gotify
+
+- name: Install cronmaster
+  import_tasks: cronmaster.yml
+  tags: cronmaster

roles/docker/templates/authentik-compose.yml.j2

@@ -37,7 +37,7 @@ services:
       glance.parent: authentik
       glance.name: Redis
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.3}
     restart: unless-stopped
     command: server
     environment:
@@ -64,7 +64,7 @@ services:
       glance.description: Authentication server
       glance.id: authentik
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.3}
     restart: unless-stopped
     command: worker
     environment:

roles/docker/templates/cronmaster-compose.yml.j2

@@ -0,0 +1,32 @@
+services:
+  cronmaster:
+    image: ghcr.io/fccview/cronmaster:latest
+    container_name: cronmaster
+    restart: unless-stopped
+    user: "root"
+    privileged: true
+    pid: "host"
+    ports:
+      - "{{ network.docker_host_ip }}:40123:3000"
+    environment:
+      - DOCKER=true
+      - HOST_PROJECT_DIR=/opt/stacks/cronmaster/scripts
+      - HOST_CRONTAB_USER=root,phil
+      - AUTH_PASSWORD={{ vault_cronmaster.password }}
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /opt/stacks/cronmaster/scripts:/app/scripts
+      - /opt/stacks/cronmaster/data:/app/data
+      - /opt/stacks/cronmaster/snippets:/app/snippets
+    labels:
+      glance.url: "http://{{ network.docker_host_ip }}:40123/"
+      glance.title: CronMaster
+      glance.description: Cron job management interface
+      glance.group: Infrastructure
+      glance.parent: infrastructure
+      glance.name: CronMaster
+
+networks:
+  default:
+    external: true
+    name: "{{ docker.network_name }}"

roles/docker/templates/gotosocial-compose.yml.j2

@@ -1,6 +1,6 @@
 services:
   gotosocial:
-    image: docker.io/superseriousbusiness/gotosocial:0.19.1
+    image: docker.io/superseriousbusiness/gotosocial:latest
     container_name: gotosocial
     user: 1000:1000
     extra_hosts: