diff --git a/docker-compose/homer/assets/config.yml b/docker-compose/homer/assets/config.yml index 07766437..c78aa393 100644 --- a/docker-compose/homer/assets/config.yml +++ b/docker-compose/homer/assets/config.yml @@ -78,6 +78,11 @@ services: url: "http://docker10.grote.lan:2342" target: "_blank" subtitle: "Bildersammlung" + - name: "Wiki" + logo: "assets/icons/mkdocs.png" + url: "http://wiki2.mgrote.net" # noch ändern + target: "_blank" + subtitle: "Wiki" - name: "Web" icon: "fas fa-cloud" diff --git a/docker-compose/homer/assets/icons/mkdocs.png b/docker-compose/homer/assets/icons/mkdocs.png new file mode 100644 index 00000000..61744ca4 Binary files /dev/null and b/docker-compose/homer/assets/icons/mkdocs.png differ diff --git a/docker-compose/homer/assets/mgmt.yml b/docker-compose/homer/assets/mgmt.yml index 16ff7c72..895f4ea1 100644 --- a/docker-compose/homer/assets/mgmt.yml +++ b/docker-compose/homer/assets/mgmt.yml @@ -63,7 +63,7 @@ services: subtitle: "Container-Registry" - name: "Woodpecker" logo: "assets/icons/woodpecker.svg" - url: "http://docker10.grote.lan:8000" + url: "https://ci.mgrote.net" target: "_blank" subtitle: "CI/CD" diff --git a/docker-compose/registry/docker-compose.yml.j2 b/docker-compose/registry/docker-compose.yml.j2 index d84ae183..979f1e1d 100644 --- a/docker-compose/registry/docker-compose.yml.j2 +++ b/docker-compose/registry/docker-compose.yml.j2 @@ -30,7 +30,7 @@ services: traefik.http.routers.registry.middlewares: registry-ipwhitelist - traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24 # .48. ist Docker + traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24,172.18.0.0/16 # .48. ist Docker traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth com.centurylinklabs.watchtower.depends-on: oci-registry-redis @@ -80,7 +80,7 @@ services: traefik.http.routers.registry-ui.entrypoints: entry_https traefik.http.services.registry-ui.loadbalancer.server.port: 80 - traefik.http.middlewares.registry-ui-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24 # .48. ist Docker + traefik.http.middlewares.registry-ui-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24 # .48. ist Docker traefik.http.middlewares.registry-ui-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth diff --git a/docker-compose/traefik/docker-compose.yml.j2 b/docker-compose/traefik/docker-compose.yml.j2 index cb0a2fd4..102efe55 100644 --- a/docker-compose/traefik/docker-compose.yml.j2 +++ b/docker-compose/traefik/docker-compose.yml.j2 @@ -2,7 +2,7 @@ version: '3' services: ######## traefik ######## traefik: - container_name: "traefik" + container_name: traefik image: traefik:latest restart: always volumes: @@ -21,19 +21,40 @@ services: TZ: Europe/Berlin labels: com.centurylinklabs.watchtower.enable: true - # hier sind gemeinsame middlewares defniert und zu einer chain zusammengefasst - # CAVE: die Reihenfolge innerhalb von Chains/von Middlewares ist wichtig - # Aufbau: traefik.http.middlewares..chain.middlewares: middleware1,middleware2,middleware3 - # diese kann dann direkt eingebunden werden: - # Beispiel: XXXXX - # beim Einsatz von nforwardauth: - # Beispiel: YYYYY + +######## nforwardauth ######## + nforwardauth: + image: nosduco/nforwardauth:v1 + container_name: traefik-nforwardauth + environment: + TOKEN_SECRET: {{ lookup('keepass', 'nforwardauth_token_secret', 'password') }} + AUTH_HOST: auth.mgrote.net + labels: + traefik.enable: true + traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`) + + traefik.http.middlewares.nforwardauth.forwardauth.address: http://nforwardauth:3000 + + traefik.http.services.nforwardauth.loadbalancer.server.port: 3000 + traefik.http.routers.nforwardauth.tls: true + traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt + traefik.http.routers.nforwardauth.entrypoints: entry_https + + com.centurylinklabs.watchtower.depends-on: traefik + com.centurylinklabs.watchtower.enable: true + volumes: + - "./passwd:/passwd:ro" # Mount local passwd file at /passwd as read only + networks: + - traefik ######## Networks ######## networks: traefik: external: true - ######## Volumes ######## volumes: acme_data: + + +# passwd +# echo ":$(mkpasswd -m sha-512 )" diff --git a/docker-compose/traefik/passwd.j2 b/docker-compose/traefik/passwd.j2 new file mode 100644 index 00000000..41b98968 --- /dev/null +++ b/docker-compose/traefik/passwd.j2 @@ -0,0 +1 @@ +{{ lookup('keepass', 'nforwardauth-mg-hash', 'password') }} diff --git a/docker-compose/traefik/traefik.yml b/docker-compose/traefik/traefik.yml index a4fa47a8..10cd500d 100644 --- a/docker-compose/traefik/traefik.yml +++ b/docker-compose/traefik/traefik.yml @@ -31,8 +31,14 @@ certificatesResolvers: tlsChallenge: true log: - level: DEBUG + level: INFO api: insecure: true dashboard: true # unter Port 8081 erreichbar + +#experimental: +# plugins: +# ldapAuth: +# moduleName: "github.com/wiltonsr/ldapAuth" +# version: "v0.1.4" diff --git a/docker-compose/wiki/docker-compose.yml.j2 b/docker-compose/wiki/docker-compose.yml.j2 new file mode 100644 index 00000000..56dbd0a3 --- /dev/null +++ b/docker-compose/wiki/docker-compose.yml.j2 @@ -0,0 +1,31 @@ +version: '3' +services: + wiki-webserver: + container_name: wiki-webserver + image: httpd:2.4 + restart: always + networks: + - traefik + ports: + - 8087:80 + volumes: + - /docker/wiki/site:/usr/local/apache2/htdocs/ + # /docker/wiki/site ist ein lokales Verzeichnis auf docker10 + # dieser Verzeichnis wird direkt in der wiki ci gemountet + # und die daten werden dort reingeschrieben + labels: + traefik.http.routers.wiki.rule: Host(`wiki2.mgrote.net`) + traefik.enable: true + traefik.http.routers.wiki.tls: true + traefik.http.routers.wiki.tls.certresolver: resolver_letsencrypt + traefik.http.routers.wiki.entrypoints: entry_https + traefik.http.services.wiki.loadbalancer.server.port: 80 + + traefik.http.routers.wiki.middlewares: nforwardauth + + com.centurylinklabs.watchtower.enable: true + +######## Networks ######## +networks: + traefik: + external: true diff --git a/docker-compose/woodpecker/docker-compose.yml.j2 b/docker-compose/woodpecker/docker-compose.yml.j2 index b75238c4..a01c0317 100644 --- a/docker-compose/woodpecker/docker-compose.yml.j2 +++ b/docker-compose/woodpecker/docker-compose.yml.j2 @@ -5,7 +5,7 @@ services: woodpecker-server: restart: always container_name: woodpecker-server - image: woodpeckerci/woodpecker-server:latest + image: woodpeckerci/woodpecker-server:v1.0 ports: - 8000:8000 volumes: @@ -13,6 +13,7 @@ services: environment: WOODPECKER_OPEN: false WOODPECKER_HOST: https://ci.mgrote.net + WOODPECKER_WEBHOOK_HOST: http://docker10.grote.lan:8000 WOODPECKER_GITEA: true WOODPECKER_GITEA_URL: https://git.mgrote.net WOODPECKER_GITEA_CLIENT: {{ lookup('keepass', 'woodpecker-oauth2-client-id', 'password') }} @@ -42,7 +43,7 @@ services: woodpecker-agent: container_name: woodpecker-agent - image: woodpeckerci/woodpecker-agent:latest + image: woodpeckerci/woodpecker-agent:v1.0 command: agent restart: always depends_on: diff --git a/friedhof/lldap/docker-compose.yml.j2 b/friedhof/lldap/docker-compose.yml.j2 new file mode 100644 index 00000000..494aa39d --- /dev/null +++ b/friedhof/lldap/docker-compose.yml.j2 @@ -0,0 +1,73 @@ +version: "3" +services: +######## App ######## + lldap: + image: nitnelave/lldap:stable + container_name: lldap-app + restart: always + ports: + # For LDAP + - "3890:3890" + # For the web front-end + - "17170:17170" + networks: + - intern + - traefik + - mail-relay + volumes: + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + - "lldap:/data" + environment: + UID: 1000 + GID: 1000 + LLDAP_HTTP_PORT: 17170 + LLDAP_HTTP_URL: http://docker10.grote.lan:17170 + LLDAP_KEY_SEED: ganz_lang + LLDAP_VERBOSE: true + LLDAP_JWT_SECRET: jwt_secret + LLDAP_LDAP_BASE_DN: dc=grote,dc=lan + LLDAP_USER_DN: admin + LLDAP_LDAP_USER_PASS: user_pass_geheim + LLDAP_DATABASE_URL: mysql://lldap-db-user:mysql_password@lldap-db/lldap + LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_reset: true + LLDAP_SMTP_OPTIONS__FROM: "LLDAP Admin " + LLDAP_SMTP_OPTIONS__REPLY_TO: "Do not reply " + LLDAP_SMTP_OPTIONS__SERVER: mail-relay + LLDAP_SMTP_OPTIONS__PORT: 25 + LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION: NONE + LLDAP_SMTP_OPTIONS__USER: info@mgrote.net + labels: + - com.centurylinklabs.watchtower.enable=true + - com.centurylinklabs.watchtower.depends-on=lldap-db +######## DB ######## + lldap-db: + image: mariadb:10 + container_name: lldap-db + restart: always + volumes: + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + - db:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD=mysql_root_password + - MYSQL_PASSWORD=mysql_password + - MYSQL_DATABASE=lldap + - MYSQL_USER=lldap-db-user + - MYSQL_INITDB_SKIP_TZINFO=1 + networks: + - intern + labels: + - com.centurylinklabs.watchtower.enable=true + +######## Volumes ######## +volumes: + lldap: + db: +######## Networks ######## +networks: + intern: + traefik: + external: true + mail-relay: + external: true diff --git a/friedhof/lldap/docker-compose0.yml.j2 b/friedhof/lldap/docker-compose0.yml.j2 new file mode 100644 index 00000000..b454e78e --- /dev/null +++ b/friedhof/lldap/docker-compose0.yml.j2 @@ -0,0 +1,40 @@ +version: '3' +services: + wiki-webserver: + container_name: wiki-webserver + image: httpd:2.4 + restart: always + networks: + - traefik + ports: + - 8087:80 + volumes: + - /docker/wiki/site:/usr/local/apache2/htdocs/ + # /docker/wiki/site ist ein lokales Verzeichnis auf docker10 + # dieser Verzeichnis wird direkt in der wiki ci gemountet + # und die daten werden dort reingeschrieben + labels: + traefik.http.routers.wiki.rule: Host(`wiki2.mgrote.net`) + traefik.enable: true + traefik.http.routers.wiki.tls: true + traefik.http.routers.wiki.tls.certresolver: resolver_letsencrypt + traefik.http.routers.wiki.entrypoints: entry_https + traefik.http.services.wiki.loadbalancer.server.port: 80 + + traefik.http.routers.wiki.middlewares: nforwardauth +# traefik.http.routers.wiki.middlewares: ldap_auth +# +# # ldapAuth Options +# traefik.http.middlewares.ldap_auth.plugin.ldapAuth.enabled: true +# traefik.http.middlewares.ldap_auth.plugin.ldapAuth.logLevel: DEBUG +# traefik.http.middlewares.ldap_auth.plugin.ldapAuth.url: ldap://lldap-app +# traefik.http.middlewares.ldap_auth.plugin.ldapAuth.port: 3890 +# traefik.http.middlewares.ldap_auth.plugin.ldapAuth.baseDN: "ou=people,dc=grote,dc=lan" +# traefik.http.middlewares.ldap_auth.plugin.ldapAuth.attribute: uid + + com.centurylinklabs.watchtower.enable: true + +######## Networks ######## +networks: + traefik: + external: true diff --git a/host_vars/docker10.grote.lan.yml b/host_vars/docker10.grote.lan.yml index 55972be0..7bded78b 100644 --- a/host_vars/docker10.grote.lan.yml +++ b/host_vars/docker10.grote.lan.yml @@ -76,6 +76,12 @@ compose_files: - name: whoami state: absent network: traefik_test + - name: wiki + state: present + network: traefik + - name: lldap + state: absent + network: ldap ### oefenweb.ufw ufw_rules: diff --git a/keepass_db.kdbx b/keepass_db.kdbx index 3d360e8b..b5c627f6 100644 Binary files a/keepass_db.kdbx and b/keepass_db.kdbx differ diff --git a/roles/mgrote_docker_compose_inline/tasks/main.yml b/roles/mgrote_docker_compose_inline/tasks/main.yml index 34f1f99b..6bde5746 100644 --- a/roles/mgrote_docker_compose_inline/tasks/main.yml +++ b/roles/mgrote_docker_compose_inline/tasks/main.yml @@ -37,6 +37,7 @@ dest: "{{ compose_dest_basedir }}/{{ item | replace(compose_src_basedir + '/', '') | replace('.j2', '') }}" with_items: "{{ lookup('pipe', 'find '+ compose_src_basedir +'/ -type f -name *.j2').split('\n') }}" no_log: true + register: copy_template - name: Ensure needed networks exists become: true