feat: add Grocy kitchen ERP service

- Add grocy subdomain to domains.yml
- Create Docker Compose template using LinuxServer image
- Add Ansible task for service deployment
- Configure Caddy reverse proxy with Authentik auth and API bypass
- Add DNS record for grocy subdomain
- Integrate with productivity services category

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

dns.yml

@@ -55,6 +55,8 @@
             ip: "152.53.36.98"
           - name: kanboard
             ip: "152.53.36.98"
+          - name: grocy
+            ip: "152.53.36.98"
       - name: nerder.land
         dns_records:
           - name: "forms"

group_vars/all/domains.yml

@@ -33,6 +33,7 @@ subdomains:
   gotify: "gotify.{{ primary_domain }}"  # Gotify notifications
   gotify_assistant: "gotify-assistant.{{ primary_domain }}"  # iGotify iOS assistant
   kanboard: "kanboard.{{ primary_domain }}"  # Kanboard project management
+  grocy: "grocy.{{ primary_domain }}"  # Grocy kitchen ERP
 
 # Email domains for notifications
 email_domains:

roles/docker/files/Caddyfile

@@ -44,6 +44,26 @@ kanboard.thesatelliteoflove.com {
     reverse_proxy kanboard:80
 }
 
+grocy.thesatelliteoflove.com {
+    # API endpoints bypass forward auth for mobile apps
+    handle /api/* {
+        reverse_proxy grocy:80
+    }
+    
+    # Web interface requires Authentik authentication
+    forward_auth authentik-server-1:9000 {
+        uri /outpost.goauthentik.io/auth/caddy
+        copy_headers {
+            X-authentik-username
+            X-authentik-groups  
+            X-authentik-email
+            X-authentik-name
+            X-authentik-uid
+        }
+    }
+    reverse_proxy grocy:80
+}
+
 phlog.thesatelliteoflove.com {
     reverse_proxy ghost-1-ghost-1:2368
 }

roles/docker/tasks/productivity/grocy.yml

@@ -0,0 +1,18 @@
+---
+- name: Create grocy directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+  loop:
+    - /opt/stacks/grocy
+
+- name: Template grocy compose file
+  ansible.builtin.template:
+    src: grocy-compose.yml.j2
+    dest: /opt/stacks/grocy/compose.yml
+
+- name: Deploy grocy stack
+  community.docker.docker_compose_v2:
+    project_src: /opt/stacks/grocy
+    files:
+      - compose.yml

roles/docker/tasks/productivity/main.yml

@@ -35,4 +35,8 @@
 
 - name: Install kanboard
   import_tasks: kanboard.yml
-  tags: kanboard
+  tags: kanboard
+
+- name: Install grocy
+  import_tasks: grocy.yml
+  tags: grocy

roles/docker/templates/grocy-compose.yml.j2

@@ -0,0 +1,30 @@
+services:
+  grocy:
+    image: lscr.io/linuxserver/grocy:latest
+    container_name: grocy
+    restart: unless-stopped
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=America/Denver
+    volumes:
+      - ./config:/config
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+      - "{{ subdomains.auth }}:{{ docker.hairpin_ip }}"
+    labels:
+      glance.name: Grocy
+      glance.icon: si:grocyapp
+      glance.url: https://{{ subdomains.grocy }}/
+      glance.description: Kitchen ERP and inventory management
+      glance.id: grocy
+      mag37.dockcheck.update: true
+
+volumes:
+  grocy_config:
+    driver: local
+
+networks:
+  default:
+    external: true
+    name: {{ docker.network_name }}