diff --git a/docker-compose/acng/docker-compose.yml.j2 b/docker-compose/acng/docker-compose.yml.j2 index 66588bfa..74ee880b 100644 --- a/docker-compose/acng/docker-compose.yml.j2 +++ b/docker-compose/acng/docker-compose.yml.j2 @@ -3,7 +3,7 @@ services: apt-cacher-ng: container_name: apt-cacher-ng restart: always - image: quotengrote/apt-cacher-ng:master + image: registry.mgrote.net/apt-cacher-ng:master ports: - "9999:9999" volumes: diff --git a/docker-compose/drone/docker-compose.yml.j2 b/docker-compose/drone/docker-compose.yml.j2 index 6ed069d8..50dbaf94 100644 --- a/docker-compose/drone/docker-compose.yml.j2 +++ b/docker-compose/drone/docker-compose.yml.j2 @@ -18,7 +18,7 @@ services: - '444:443' restart: always container_name: drone-server - image: 'drone/drone:latest' + image: 'drone/drone:2' networks: - intern labels: @@ -43,8 +43,9 @@ services: networks: - intern labels: - - com.centurylinklabs.watchtower.enable=true - + com.centurylinklabs.watchtower.enable: true + com.centurylinklabs.watchtower.depends-on: drone-server + ######## Volumes ######## volumes: data: diff --git a/docker-compose/homer/assets/mgmt.yml b/docker-compose/homer/assets/mgmt.yml index ee5b781f..cf00911c 100644 --- a/docker-compose/homer/assets/mgmt.yml +++ b/docker-compose/homer/assets/mgmt.yml @@ -63,9 +63,14 @@ services: subtitle: "CI/CD" - name: "httpd" logo: "assets/icons/roundcube.png" - url: " http://docker10.grote.lan:3344" + url: "http://docker10.grote.lan:3344" target: "_blank" subtitle: "Package-Registry" + - name: "Container Registry" + logo: "assets/icons/hastebin.png" + url: "https://registry.mgrote.net/ui/index.html" + target: "_blank" + subtitle: "Container-Registry" - name: "Infra" icon: "fas fa-cloud" diff --git a/docker-compose/httpd/docker-compose.yml.j2 b/docker-compose/httpd/docker-compose.yml.j2 index a069d1e5..1a6069e9 100644 --- a/docker-compose/httpd/docker-compose.yml.j2 +++ b/docker-compose/httpd/docker-compose.yml.j2 @@ -14,7 +14,7 @@ services: python-api-server: container_name: httpd-api - image: quotengrote/python-api-server:latest + image: registry.mgrote.net/python-api-server:latest restart: always ports: - "5040:5000" diff --git a/docker-compose/miniflux/docker-compose.yml.j2 b/docker-compose/miniflux/docker-compose.yml.j2 index 574a6644..c227eeab 100644 --- a/docker-compose/miniflux/docker-compose.yml.j2 +++ b/docker-compose/miniflux/docker-compose.yml.j2 @@ -58,7 +58,7 @@ services: MF_API_URL: https://miniflux.mgrote.net/v1 MF_SLEEP: 600 #MF_DEBUG: 1 - image: quotengrote/miniflux-filter:latest + image: registry.mgrote.net/miniflux-filter:latest volumes: - ./filter.txt:/data/filter.txt networks: diff --git a/docker-compose/munin/docker-compose.yml.j2 b/docker-compose/munin/docker-compose.yml.j2 index b7f4163c..251e772b 100644 --- a/docker-compose/munin/docker-compose.yml.j2 +++ b/docker-compose/munin/docker-compose.yml.j2 @@ -2,7 +2,7 @@ version: '3' services: munin: container_name: "munin-master-prod" - image: quotengrote/munin-server:master + image: registry.mgrote.net/munin-server:master restart: always environment: MAILCONTACT: michael.grote@posteo.de diff --git a/docker-compose/oxidized/docker-compose.yml.j2 b/docker-compose/oxidized/docker-compose.yml.j2 index 0cfb70dc..b2f6dbeb 100644 --- a/docker-compose/oxidized/docker-compose.yml.j2 +++ b/docker-compose/oxidized/docker-compose.yml.j2 @@ -3,7 +3,7 @@ services: oxidized: restart: always container_name: "oxidized" - image: oxidized/oxidized:latest # ist auf lokal gebautes Image gesetzt, nach https://github.com/ytti/oxidized/pull/2726 kann es wieder auf latest gesetzt werden + image: oxidized/oxidized:latest ports: - 8888:8888/tcp environment: diff --git a/docker-compose/registry/docker-compose.yml.j2 b/docker-compose/registry/docker-compose.yml.j2 new file mode 100644 index 00000000..b7efcf6e --- /dev/null +++ b/docker-compose/registry/docker-compose.yml.j2 @@ -0,0 +1,83 @@ +version: '3.3' +services: + oci-registry: + restart: always + container_name: oci-registry + image: registry:2 + volumes: + - /mnt/oci-registry:/var/lib/registry + - ./htpasswd:/auth/htpasswd + networks: + - traefik + - intern + environment: + TZ: Europe/Berlin + REGISTRY_AUTH: none + REGISTRY_REDIS_ADDR: oci-registry-redis:6379 + REGISTRY_REDIS_PASSWORD: {{ lookup('keepass', 'oci-registry-redis-pw', 'password') }} + REGISTRY_STORAGE_DELETE_ENABLED: true + labels: + traefik.http.routers.registry.rule: Host(`registry.mgrote.net`) + traefik.enable: true + traefik.http.routers.registry.tls: true + traefik.http.routers.registry.tls.certresolver: resolver_letsencrypt + traefik.http.routers.registry.entrypoints: entry_https + traefik.http.services.registry.loadbalancer.server.port: 5000 + + traefik.http.routers.registry.middlewares: registry-ipwhitelist + traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.0.0/17 + + com.centurylinklabs.watchtower.depends-on: oci-registry-redis + com.centurylinklabs.watchtower.enable: true + + # testen mit: + # docker pull ubuntu + # docker image tag ubuntu registry.mgrote.net/myfirstimage + # docker login --username regadmin --password registry.mgrote.net + # docker push registry.mgrote.net/myfirstimage + # docker pull registry.mgrote.net/myfirstimage + + oci-registry-redis: + image: redis:7 + container_name: oci-registry-redis + networks: + - intern + restart: always + environment: + REDIS_PASSWORD: {{ lookup('keepass', 'oci-registry-redis-pw', 'password') }} + MAXMEMORY POLICY: allkeys-lru + labels: + com.centurylinklabs.watchtower.enable: true + + oci-registry-ui: + restart: always + # url: registry.mgrote.net/ui/index.html + image: joxit/docker-registry-ui:latest + container_name: oci-registry-ui + environment: + DELETE_IMAGES: true + SINGLE_REGISTRY: true + NGINX_PROXY_PASS_URL: http://oci-registry:5000 + networks: + - traefik + - intern + labels: + traefik.http.routers.registry-ui.rule: Host(`registry.mgrote.net`)&&PathPrefix(`/ui`) # mache unter /ui erreichbar, damit wird demPfad dieser Prefix hinzugefügt, die Anwendung "hört" dort abrer nicht + traefik.http.routers.registry-ui.middlewares: registry-ui-strip-prefix,registry-ui-auth # also entferne den Prefix danach wieder + traefik.http.middlewares.registry-ui-strip-prefix.stripprefix.prefixes: /ui # hier ist die Middleware definiert + traefik.enable: true + traefik.http.routers.registry-ui.tls: true + traefik.http.routers.registry-ui.tls.certresolver: resolver_letsencrypt + traefik.http.routers.registry-ui.entrypoints: entry_https + traefik.http.services.registry-ui.loadbalancer.server.port: 80 + + com.centurylinklabs.watchtower.depends-on: oci-registry-redis,oci-registry + com.centurylinklabs.watchtower.enable: true + + traefik.http.middlewares.registry-ui-auth.basicauth.users: ui-user:$$2y$$05$$6NLaW1ewe/t4M/qnaPHCx.bmsIKR5MOukwJFrvhyFUcqueRcm9i8K # echo $(htpasswd -nB ui-user password) | sed -e s/\\$/\\$\\$/g + +######## Networks ######## +networks: + traefik: + external: true + intern: diff --git a/docker-compose/traefik/traefik.yml b/docker-compose/traefik/traefik.yml index 1c61a6e2..0c623bb5 100644 --- a/docker-compose/traefik/traefik.yml +++ b/docker-compose/traefik/traefik.yml @@ -9,7 +9,7 @@ providers: entryPoints: entry_http: address: :80 - http: #Umleitung http zu https + http: # Umleitung http zu https redirections: entryPoint: to: entry_https @@ -20,7 +20,7 @@ entryPoints: entry_ssh: address: :2222 # wenn hier zusätzliche Ports eingetragen werden, müssen diese auch in der docker-compose.yml als Ports gemappt werden -#letsencrypt +# letsencrypt certificatesResolvers: resolver_letsencrypt: acme: @@ -35,4 +35,4 @@ log: api: insecure: true - dashboard: true #unter Port 8081 erreichbar + dashboard: true # unter Port 8081 erreichbar diff --git a/host_vars/docker10.grote.lan.yml b/host_vars/docker10.grote.lan.yml index 2b26fc4d..ac9773cb 100644 --- a/host_vars/docker10.grote.lan.yml +++ b/host_vars/docker10.grote.lan.yml @@ -12,10 +12,21 @@ filesystem: xfs mount: true mntp: /var/lib/docker + - vgname: vg_docker_volumes + disks: + - /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2 + create: true + lvnames: + - lvname: ociregistry + size: +100%FREE + create: true + filesystem: xfs + mount: true + mntp: /mnt/oci-registry manage_lvm: true pvresize_to_max: true ### mgrote.restic - restic_folders_to_backup: "/ /var/lib/docker" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben + restic_folders_to_backup: "/ /var/lib/docker /mnt/oci-registry" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben ### mgrote.docker-compose-inline compose_owner: "docker-user" @@ -55,6 +66,9 @@ state: present - name: acng state: present + - name: registry + state: present + network: traefik ### oefenweb.ufw ufw_rules: - rule: allow diff --git a/keepass_db.kdbx b/keepass_db.kdbx index bbe5dfaf..e5e04b49 100644 Binary files a/keepass_db.kdbx and b/keepass_db.kdbx differ