From f71ded1a01a0d65dc54af629f3354d2d5e69db9c Mon Sep 17 00:00:00 2001
From: Phil <phil@thesatelliteoflove.com>
Date: Mon, 28 Jul 2025 08:47:28 -0600
Subject: [PATCH] feat: add Grocy kitchen ERP service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add grocy subdomain to domains.yml
- Create Docker Compose template using LinuxServer image
- Add Ansible task for service deployment
- Configure Caddy reverse proxy with Authentik auth and API bypass
- Add DNS record for grocy subdomain
- Integrate with productivity services category

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 dns.yml                                     |  2 ++
 group_vars/all/domains.yml                  |  1 +
 roles/docker/files/Caddyfile                | 20 ++++++++++++++
 roles/docker/tasks/productivity/grocy.yml   | 18 +++++++++++++
 roles/docker/tasks/productivity/main.yml    |  6 ++++-
 roles/docker/templates/grocy-compose.yml.j2 | 30 +++++++++++++++++++++
 6 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 roles/docker/tasks/productivity/grocy.yml
 create mode 100644 roles/docker/templates/grocy-compose.yml.j2

diff --git a/dns.yml b/dns.yml
index f77b712..fa8a1b5 100644
--- a/dns.yml
+++ b/dns.yml
@@ -55,6 +55,8 @@
             ip: "152.53.36.98"
           - name: kanboard
             ip: "152.53.36.98"
+          - name: grocy
+            ip: "152.53.36.98"
       - name: nerder.land
         dns_records:
           - name: "forms"
diff --git a/group_vars/all/domains.yml b/group_vars/all/domains.yml
index fc6c13b..e4cfba5 100644
--- a/group_vars/all/domains.yml
+++ b/group_vars/all/domains.yml
@@ -33,6 +33,7 @@ subdomains:
   gotify: "gotify.{{ primary_domain }}"  # Gotify notifications
   gotify_assistant: "gotify-assistant.{{ primary_domain }}"  # iGotify iOS assistant
   kanboard: "kanboard.{{ primary_domain }}"  # Kanboard project management
+  grocy: "grocy.{{ primary_domain }}"  # Grocy kitchen ERP
 
 # Email domains for notifications
 email_domains:
diff --git a/roles/docker/files/Caddyfile b/roles/docker/files/Caddyfile
index 645c685..a69c7f7 100644
--- a/roles/docker/files/Caddyfile
+++ b/roles/docker/files/Caddyfile
@@ -44,6 +44,26 @@ kanboard.thesatelliteoflove.com {
     reverse_proxy kanboard:80
 }
 
+grocy.thesatelliteoflove.com {
+    # API endpoints bypass forward auth for mobile apps
+    handle /api/* {
+        reverse_proxy grocy:80
+    }
+    
+    # Web interface requires Authentik authentication
+    forward_auth authentik-server-1:9000 {
+        uri /outpost.goauthentik.io/auth/caddy
+        copy_headers {
+            X-authentik-username
+            X-authentik-groups  
+            X-authentik-email
+            X-authentik-name
+            X-authentik-uid
+        }
+    }
+    reverse_proxy grocy:80
+}
+
 phlog.thesatelliteoflove.com {
     reverse_proxy ghost-1-ghost-1:2368
 }
diff --git a/roles/docker/tasks/productivity/grocy.yml b/roles/docker/tasks/productivity/grocy.yml
new file mode 100644
index 0000000..4a492f3
--- /dev/null
+++ b/roles/docker/tasks/productivity/grocy.yml
@@ -0,0 +1,18 @@
+---
+- name: Create grocy directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+  loop:
+    - /opt/stacks/grocy
+
+- name: Template grocy compose file
+  ansible.builtin.template:
+    src: grocy-compose.yml.j2
+    dest: /opt/stacks/grocy/compose.yml
+
+- name: Deploy grocy stack
+  community.docker.docker_compose_v2:
+    project_src: /opt/stacks/grocy
+    files:
+      - compose.yml
\ No newline at end of file
diff --git a/roles/docker/tasks/productivity/main.yml b/roles/docker/tasks/productivity/main.yml
index 55d7443..e4c042a 100644
--- a/roles/docker/tasks/productivity/main.yml
+++ b/roles/docker/tasks/productivity/main.yml
@@ -35,4 +35,8 @@
 
 - name: Install kanboard
   import_tasks: kanboard.yml
-  tags: kanboard
\ No newline at end of file
+  tags: kanboard
+
+- name: Install grocy
+  import_tasks: grocy.yml
+  tags: grocy
\ No newline at end of file
diff --git a/roles/docker/templates/grocy-compose.yml.j2 b/roles/docker/templates/grocy-compose.yml.j2
new file mode 100644
index 0000000..6eee15c
--- /dev/null
+++ b/roles/docker/templates/grocy-compose.yml.j2
@@ -0,0 +1,30 @@
+services:
+  grocy:
+    image: lscr.io/linuxserver/grocy:latest
+    container_name: grocy
+    restart: unless-stopped
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=America/Denver
+    volumes:
+      - ./config:/config
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+      - "{{ subdomains.auth }}:{{ docker.hairpin_ip }}"
+    labels:
+      glance.name: Grocy
+      glance.icon: si:grocyapp
+      glance.url: https://{{ subdomains.grocy }}/
+      glance.description: Kitchen ERP and inventory management
+      glance.id: grocy
+      mag37.dockcheck.update: true
+
+volumes:
+  grocy_config:
+    driver: local
+
+networks:
+  default:
+    external: true
+    name: {{ docker.network_name }}
\ No newline at end of file