add mkdocs-wiki (#601)

Reviewed-on: #601 Co-authored-by: Michael Grote <michael.grote@posteo.de> Co-committed-by: Michael Grote <michael.grote@posteo.de>
2023-11-16 20:09:14 +01:00 · 2023-11-16 20:09:14 +01:00 · 7c0c860600
parent 55f002f828
commit 7c0c860600
14 changed files with 200 additions and 15 deletions
--- a/docker-compose/homer/assets/config.yml
+++ b/docker-compose/homer/assets/config.yml
@ -78,6 +78,11 @@ services:
        url: "http://docker10.grote.lan:2342"
        target: "_blank"
        subtitle: "Bildersammlung"
+      - name: "Wiki"
+        logo: "assets/icons/mkdocs.png"
+        url: "http://wiki2.mgrote.net" # noch ändern
+        target: "_blank"
+        subtitle: "Wiki"

  - name: "Web"
    icon: "fas fa-cloud"
--- a/docker-compose/homer/assets/icons/mkdocs.png
+++ b/docker-compose/homer/assets/icons/mkdocs.png
--- a/docker-compose/homer/assets/mgmt.yml
+++ b/docker-compose/homer/assets/mgmt.yml
@ -63,7 +63,7 @@ services:
        subtitle: "Container-Registry"
      - name: "Woodpecker"
        logo: "assets/icons/woodpecker.svg"
-        url: "http://docker10.grote.lan:8000"
+        url: "https://ci.mgrote.net"
        target: "_blank"
        subtitle: "CI/CD"

--- a/docker-compose/registry/docker-compose.yml.j2
+++ b/docker-compose/registry/docker-compose.yml.j2
@ -30,7 +30,7 @@ services:

      traefik.http.routers.registry.middlewares: registry-ipwhitelist

-      traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24 # .48. ist Docker
+      traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24,172.18.0.0/16 # .48. ist Docker
      traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth

      com.centurylinklabs.watchtower.depends-on: oci-registry-redis
@ -80,7 +80,7 @@ services:
      traefik.http.routers.registry-ui.entrypoints: entry_https
      traefik.http.services.registry-ui.loadbalancer.server.port: 80

-      traefik.http.middlewares.registry-ui-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24 # .48. ist Docker
+      traefik.http.middlewares.registry-ui-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24 # .48. ist Docker
      traefik.http.middlewares.registry-ui-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth


--- a/docker-compose/traefik/docker-compose.yml.j2
+++ b/docker-compose/traefik/docker-compose.yml.j2
@ -2,7 +2,7 @@ version: '3'
 services:
 ######## traefik ########
  traefik:
-    container_name: "traefik"
+    container_name: traefik
    image: traefik:latest
    restart: always
    volumes:
@ -21,19 +21,40 @@ services:
      TZ: Europe/Berlin
    labels:
      com.centurylinklabs.watchtower.enable: true
-      # hier sind gemeinsame middlewares defniert und zu einer chain zusammengefasst
-      # CAVE: die Reihenfolge innerhalb von Chains/von Middlewares ist wichtig
-      # Aufbau: traefik.http.middlewares.<NAME>.chain.middlewares: middleware1,middleware2,middleware3
-      # diese kann dann direkt eingebunden werden:
-      # Beispiel: XXXXX
-      # beim Einsatz von nforwardauth:
-      # Beispiel: YYYYY
+
+######## nforwardauth ########
+  nforwardauth:
+    image: nosduco/nforwardauth:v1
+    container_name: traefik-nforwardauth
+    environment:
+      TOKEN_SECRET: {{ lookup('keepass', 'nforwardauth_token_secret', 'password') }}
+      AUTH_HOST: auth.mgrote.net
+    labels:
+      traefik.enable: true
+      traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`)
+
+      traefik.http.middlewares.nforwardauth.forwardauth.address: http://nforwardauth:3000
+
+      traefik.http.services.nforwardauth.loadbalancer.server.port: 3000
+      traefik.http.routers.nforwardauth.tls: true
+      traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt
+      traefik.http.routers.nforwardauth.entrypoints: entry_https
+
+      com.centurylinklabs.watchtower.depends-on: traefik
+      com.centurylinklabs.watchtower.enable: true
+    volumes:
+      - "./passwd:/passwd:ro" # Mount local passwd file at /passwd as read only
+    networks:
+      - traefik

 ######## Networks ########
 networks:
  traefik:
    external: true
-
 ######## Volumes ########
 volumes:
  acme_data:
+
+
+# passwd
+# echo "<user>:$(mkpasswd -m sha-512 <password>)"
--- a/docker-compose/traefik/passwd.j2
+++ b/docker-compose/traefik/passwd.j2
@ -0,0 +1 @@
+{{ lookup('keepass', 'nforwardauth-mg-hash', 'password') }}
--- a/docker-compose/traefik/traefik.yml
+++ b/docker-compose/traefik/traefik.yml
@ -31,8 +31,14 @@ certificatesResolvers:
      tlsChallenge: true

 log:
-  level: DEBUG
+  level: INFO

 api:
  insecure: true
  dashboard: true # unter Port 8081 erreichbar
+
+#experimental:
+#  plugins:
+#    ldapAuth:
+#      moduleName: "github.com/wiltonsr/ldapAuth"
+#      version: "v0.1.4"
--- a/docker-compose/wiki/docker-compose.yml.j2
+++ b/docker-compose/wiki/docker-compose.yml.j2
@ -0,0 +1,31 @@
+version: '3'
+services:
+  wiki-webserver:
+    container_name: wiki-webserver
+    image: httpd:2.4
+    restart: always
+    networks:
+      - traefik
+    ports:
+      - 8087:80
+    volumes:
+      - /docker/wiki/site:/usr/local/apache2/htdocs/
+      # /docker/wiki/site ist ein lokales Verzeichnis auf docker10
+      # dieser Verzeichnis wird direkt in der wiki ci gemountet
+      # und die daten werden dort reingeschrieben
+    labels:
+      traefik.http.routers.wiki.rule: Host(`wiki2.mgrote.net`)
+      traefik.enable: true
+      traefik.http.routers.wiki.tls: true
+      traefik.http.routers.wiki.tls.certresolver: resolver_letsencrypt
+      traefik.http.routers.wiki.entrypoints: entry_https
+      traefik.http.services.wiki.loadbalancer.server.port: 80
+
+      traefik.http.routers.wiki.middlewares: nforwardauth
+
+      com.centurylinklabs.watchtower.enable: true
+
+######## Networks ########
+networks:
+  traefik:
+    external: true
--- a/docker-compose/woodpecker/docker-compose.yml.j2
+++ b/docker-compose/woodpecker/docker-compose.yml.j2
@ -5,7 +5,7 @@ services:
  woodpecker-server:
    restart: always
    container_name: woodpecker-server
-    image: woodpeckerci/woodpecker-server:latest
+    image: woodpeckerci/woodpecker-server:v1.0
    ports:
      - 8000:8000
    volumes:
@ -13,6 +13,7 @@ services:
    environment:
      WOODPECKER_OPEN: false
      WOODPECKER_HOST: https://ci.mgrote.net
+      WOODPECKER_WEBHOOK_HOST: http://docker10.grote.lan:8000
      WOODPECKER_GITEA: true
      WOODPECKER_GITEA_URL: https://git.mgrote.net
      WOODPECKER_GITEA_CLIENT: {{ lookup('keepass', 'woodpecker-oauth2-client-id', 'password') }}
@ -42,7 +43,7 @@ services:

  woodpecker-agent:
    container_name: woodpecker-agent
-    image: woodpeckerci/woodpecker-agent:latest
+    image: woodpeckerci/woodpecker-agent:v1.0
    command: agent
    restart: always
    depends_on:
--- a/friedhof/lldap/docker-compose.yml.j2
+++ b/friedhof/lldap/docker-compose.yml.j2
@ -0,0 +1,73 @@
+version: "3"
+services:
+######## App ########
+  lldap:
+    image: nitnelave/lldap:stable
+    container_name: lldap-app
+    restart: always
+    ports:
+      # For LDAP
+      - "3890:3890"
+      # For the web front-end
+      - "17170:17170"
+    networks:
+      - intern
+      - traefik
+      - mail-relay
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - "lldap:/data"
+    environment:
+      UID: 1000
+      GID: 1000
+      LLDAP_HTTP_PORT: 17170
+      LLDAP_HTTP_URL: http://docker10.grote.lan:17170
+      LLDAP_KEY_SEED: ganz_lang
+      LLDAP_VERBOSE: true
+      LLDAP_JWT_SECRET: jwt_secret
+      LLDAP_LDAP_BASE_DN: dc=grote,dc=lan
+      LLDAP_USER_DN: admin
+      LLDAP_LDAP_USER_PASS: user_pass_geheim
+      LLDAP_DATABASE_URL: mysql://lldap-db-user:mysql_password@lldap-db/lldap
+      LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_reset: true
+      LLDAP_SMTP_OPTIONS__FROM: "LLDAP Admin <info@mgrote.net>"
+      LLDAP_SMTP_OPTIONS__REPLY_TO: "Do not reply <info@mgrote.net>"
+      LLDAP_SMTP_OPTIONS__SERVER: mail-relay
+      LLDAP_SMTP_OPTIONS__PORT: 25
+      LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION: NONE
+      LLDAP_SMTP_OPTIONS__USER: info@mgrote.net
+    labels:
+      - com.centurylinklabs.watchtower.enable=true
+      - com.centurylinklabs.watchtower.depends-on=lldap-db
+######## DB ########
+  lldap-db:
+    image: mariadb:10
+    container_name: lldap-db
+    restart: always
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - db:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=mysql_root_password
+      - MYSQL_PASSWORD=mysql_password
+      - MYSQL_DATABASE=lldap
+      - MYSQL_USER=lldap-db-user
+      - MYSQL_INITDB_SKIP_TZINFO=1
+    networks:
+      - intern
+    labels:
+      - com.centurylinklabs.watchtower.enable=true
+
+######## Volumes ########
+volumes:
+  lldap:
+  db:
+######## Networks ########
+networks:
+  intern:
+  traefik:
+    external: true
+  mail-relay:
+    external: true
--- a/friedhof/lldap/docker-compose0.yml.j2
+++ b/friedhof/lldap/docker-compose0.yml.j2
@ -0,0 +1,40 @@
+version: '3'
+services:
+  wiki-webserver:
+    container_name: wiki-webserver
+    image: httpd:2.4
+    restart: always
+    networks:
+      - traefik
+    ports:
+      - 8087:80
+    volumes:
+      - /docker/wiki/site:/usr/local/apache2/htdocs/
+      # /docker/wiki/site ist ein lokales Verzeichnis auf docker10
+      # dieser Verzeichnis wird direkt in der wiki ci gemountet
+      # und die daten werden dort reingeschrieben
+    labels:
+      traefik.http.routers.wiki.rule: Host(`wiki2.mgrote.net`)
+      traefik.enable: true
+      traefik.http.routers.wiki.tls: true
+      traefik.http.routers.wiki.tls.certresolver: resolver_letsencrypt
+      traefik.http.routers.wiki.entrypoints: entry_https
+      traefik.http.services.wiki.loadbalancer.server.port: 80
+
+      traefik.http.routers.wiki.middlewares: nforwardauth
+#      traefik.http.routers.wiki.middlewares: ldap_auth
+#
+#    # ldapAuth Options
+#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.enabled: true
+#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.logLevel: DEBUG
+#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.url: ldap://lldap-app
+#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.port: 3890
+#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.baseDN: "ou=people,dc=grote,dc=lan"
+#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.attribute: uid
+
+      com.centurylinklabs.watchtower.enable: true
+
+######## Networks ########
+networks:
+  traefik:
+    external: true
--- a/host_vars/docker10.grote.lan.yml
+++ b/host_vars/docker10.grote.lan.yml
@ -76,6 +76,12 @@ compose_files:
  - name: whoami
    state: absent
    network: traefik_test
+  - name: wiki
+    state: present
+    network: traefik
+  - name: lldap
+    state: absent
+    network: ldap

 ### oefenweb.ufw
 ufw_rules:
--- a/keepass_db.kdbx
+++ b/keepass_db.kdbx
--- a/roles/mgrote_docker_compose_inline/tasks/main.yml
+++ b/roles/mgrote_docker_compose_inline/tasks/main.yml
@ -37,6 +37,7 @@
    dest: "{{ compose_dest_basedir }}/{{ item | replace(compose_src_basedir + '/', '') | replace('.j2', '') }}"
  with_items: "{{ lookup('pipe', 'find '+ compose_src_basedir +'/ -type f -name *.j2').split('\n') }}"
  no_log: true
+  register: copy_template

 - name: Ensure needed networks exists
  become: true
				`@ -0,0 +1 @@`
				`{{ lookup('keepass', 'nforwardauth-mg-hash', 'password') }}`