add mkdocs-wiki (#601)

Reviewed-on: #601
Co-authored-by: Michael Grote <michael.grote@posteo.de>
Co-committed-by: Michael Grote <michael.grote@posteo.de>

docker-compose/homer/assets/config.yml

@@ -78,6 +78,11 @@ services:
         url: "http://docker10.grote.lan:2342"
         target: "_blank"
         subtitle: "Bildersammlung"
+      - name: "Wiki"
+        logo: "assets/icons/mkdocs.png"
+        url: "http://wiki2.mgrote.net" # noch ändern
+        target: "_blank"
+        subtitle: "Wiki"
 
   - name: "Web"
     icon: "fas fa-cloud"

docker-compose/homer/assets/mgmt.yml

@@ -63,7 +63,7 @@ services:
         subtitle: "Container-Registry"
       - name: "Woodpecker"
         logo: "assets/icons/woodpecker.svg"
-        url: "http://docker10.grote.lan:8000"
+        url: "https://ci.mgrote.net"
         target: "_blank"
         subtitle: "CI/CD"
 

docker-compose/registry/docker-compose.yml.j2

@@ -30,7 +30,7 @@ services:
 
       traefik.http.routers.registry.middlewares: registry-ipwhitelist
 
-      traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24 # .48. ist Docker
+      traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24,172.18.0.0/16 # .48. ist Docker
       traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth
 
       com.centurylinklabs.watchtower.depends-on: oci-registry-redis
@@ -80,7 +80,7 @@ services:
       traefik.http.routers.registry-ui.entrypoints: entry_https
       traefik.http.services.registry-ui.loadbalancer.server.port: 80
 
-      traefik.http.middlewares.registry-ui-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24 # .48. ist Docker
+      traefik.http.middlewares.registry-ui-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24 # .48. ist Docker
       traefik.http.middlewares.registry-ui-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth
 
 

docker-compose/traefik/docker-compose.yml.j2

@@ -2,7 +2,7 @@ version: '3'
 services:
 ######## traefik ########
   traefik:
-    container_name: "traefik"
+    container_name: traefik
     image: traefik:latest
     restart: always
     volumes:
@@ -21,19 +21,40 @@ services:
       TZ: Europe/Berlin
     labels:
       com.centurylinklabs.watchtower.enable: true
-      # hier sind gemeinsame middlewares defniert und zu einer chain zusammengefasst
-      # CAVE: die Reihenfolge innerhalb von Chains/von Middlewares ist wichtig
-      # Aufbau: traefik.http.middlewares.<NAME>.chain.middlewares: middleware1,middleware2,middleware3
-      # diese kann dann direkt eingebunden werden:
-      # Beispiel: XXXXX
-      # beim Einsatz von nforwardauth:
-      # Beispiel: YYYYY
+
+######## nforwardauth ########
+  nforwardauth:
+    image: nosduco/nforwardauth:v1
+    container_name: traefik-nforwardauth
+    environment:
+      TOKEN_SECRET: {{ lookup('keepass', 'nforwardauth_token_secret', 'password') }}
+      AUTH_HOST: auth.mgrote.net
+    labels:
+      traefik.enable: true
+      traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`)
+
+      traefik.http.middlewares.nforwardauth.forwardauth.address: http://nforwardauth:3000
+
+      traefik.http.services.nforwardauth.loadbalancer.server.port: 3000
+      traefik.http.routers.nforwardauth.tls: true
+      traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt
+      traefik.http.routers.nforwardauth.entrypoints: entry_https
+
+      com.centurylinklabs.watchtower.depends-on: traefik
+      com.centurylinklabs.watchtower.enable: true
+    volumes:
+      - "./passwd:/passwd:ro" # Mount local passwd file at /passwd as read only
+    networks:
+      - traefik
 
 ######## Networks ########
 networks:
   traefik:
     external: true
-
 ######## Volumes ########
 volumes:
   acme_data:
+
+
+# passwd
+# echo "<user>:$(mkpasswd -m sha-512 <password>)"

docker-compose/traefik/passwd.j2

@@ -0,0 +1 @@
+{{ lookup('keepass', 'nforwardauth-mg-hash', 'password') }}

docker-compose/traefik/traefik.yml

@@ -31,8 +31,14 @@ certificatesResolvers:
       tlsChallenge: true
 
 log:
-  level: DEBUG
+  level: INFO
 
 api:
   insecure: true
   dashboard: true # unter Port 8081 erreichbar
+
+#experimental:
+#  plugins:
+#    ldapAuth:
+#      moduleName: "github.com/wiltonsr/ldapAuth"
+#      version: "v0.1.4"

docker-compose/wiki/docker-compose.yml.j2

@@ -0,0 +1,31 @@
+version: '3'
+services:
+  wiki-webserver:
+    container_name: wiki-webserver
+    image: httpd:2.4
+    restart: always
+    networks:
+      - traefik
+    ports:
+      - 8087:80
+    volumes:
+      - /docker/wiki/site:/usr/local/apache2/htdocs/
+      # /docker/wiki/site ist ein lokales Verzeichnis auf docker10
+      # dieser Verzeichnis wird direkt in der wiki ci gemountet
+      # und die daten werden dort reingeschrieben
+    labels:
+      traefik.http.routers.wiki.rule: Host(`wiki2.mgrote.net`)
+      traefik.enable: true
+      traefik.http.routers.wiki.tls: true
+      traefik.http.routers.wiki.tls.certresolver: resolver_letsencrypt
+      traefik.http.routers.wiki.entrypoints: entry_https
+      traefik.http.services.wiki.loadbalancer.server.port: 80
+
+      traefik.http.routers.wiki.middlewares: nforwardauth
+
+      com.centurylinklabs.watchtower.enable: true
+
+######## Networks ########
+networks:
+  traefik:
+    external: true

docker-compose/woodpecker/docker-compose.yml.j2

@@ -5,7 +5,7 @@ services:
   woodpecker-server:
     restart: always
     container_name: woodpecker-server
-    image: woodpeckerci/woodpecker-server:latest
+    image: woodpeckerci/woodpecker-server:v1.0
     ports:
       - 8000:8000
     volumes:
@@ -13,6 +13,7 @@ services:
     environment:
       WOODPECKER_OPEN: false
       WOODPECKER_HOST: https://ci.mgrote.net
+      WOODPECKER_WEBHOOK_HOST: http://docker10.grote.lan:8000
       WOODPECKER_GITEA: true
       WOODPECKER_GITEA_URL: https://git.mgrote.net
       WOODPECKER_GITEA_CLIENT: {{ lookup('keepass', 'woodpecker-oauth2-client-id', 'password') }}
@@ -42,7 +43,7 @@ services:
 
   woodpecker-agent:
     container_name: woodpecker-agent
-    image: woodpeckerci/woodpecker-agent:latest
+    image: woodpeckerci/woodpecker-agent:v1.0
     command: agent
     restart: always
     depends_on:

friedhof/lldap/docker-compose.yml.j2

@@ -0,0 +1,73 @@
+version: "3"
+services:
+######## App ########
+  lldap:
+    image: nitnelave/lldap:stable
+    container_name: lldap-app
+    restart: always
+    ports:
+      # For LDAP
+      - "3890:3890"
+      # For the web front-end
+      - "17170:17170"
+    networks:
+      - intern
+      - traefik
+      - mail-relay
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - "lldap:/data"
+    environment:
+      UID: 1000
+      GID: 1000
+      LLDAP_HTTP_PORT: 17170
+      LLDAP_HTTP_URL: http://docker10.grote.lan:17170
+      LLDAP_KEY_SEED: ganz_lang
+      LLDAP_VERBOSE: true
+      LLDAP_JWT_SECRET: jwt_secret
+      LLDAP_LDAP_BASE_DN: dc=grote,dc=lan
+      LLDAP_USER_DN: admin
+      LLDAP_LDAP_USER_PASS: user_pass_geheim
+      LLDAP_DATABASE_URL: mysql://lldap-db-user:mysql_password@lldap-db/lldap
+      LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_reset: true
+      LLDAP_SMTP_OPTIONS__FROM: "LLDAP Admin <info@mgrote.net>"
+      LLDAP_SMTP_OPTIONS__REPLY_TO: "Do not reply <info@mgrote.net>"
+      LLDAP_SMTP_OPTIONS__SERVER: mail-relay
+      LLDAP_SMTP_OPTIONS__PORT: 25
+      LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION: NONE
+      LLDAP_SMTP_OPTIONS__USER: info@mgrote.net
+    labels:
+      - com.centurylinklabs.watchtower.enable=true
+      - com.centurylinklabs.watchtower.depends-on=lldap-db
+######## DB ########
+  lldap-db:
+    image: mariadb:10
+    container_name: lldap-db
+    restart: always
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - db:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=mysql_root_password
+      - MYSQL_PASSWORD=mysql_password
+      - MYSQL_DATABASE=lldap
+      - MYSQL_USER=lldap-db-user
+      - MYSQL_INITDB_SKIP_TZINFO=1
+    networks:
+      - intern
+    labels:
+      - com.centurylinklabs.watchtower.enable=true
+
+######## Volumes ########
+volumes:
+  lldap:
+  db:
+######## Networks ########
+networks:
+  intern:
+  traefik:
+    external: true
+  mail-relay:
+    external: true

friedhof/lldap/docker-compose0.yml.j2

@@ -0,0 +1,40 @@
+version: '3'
+services:
+  wiki-webserver:
+    container_name: wiki-webserver
+    image: httpd:2.4
+    restart: always
+    networks:
+      - traefik
+    ports:
+      - 8087:80
+    volumes:
+      - /docker/wiki/site:/usr/local/apache2/htdocs/
+      # /docker/wiki/site ist ein lokales Verzeichnis auf docker10
+      # dieser Verzeichnis wird direkt in der wiki ci gemountet
+      # und die daten werden dort reingeschrieben
+    labels:
+      traefik.http.routers.wiki.rule: Host(`wiki2.mgrote.net`)
+      traefik.enable: true
+      traefik.http.routers.wiki.tls: true
+      traefik.http.routers.wiki.tls.certresolver: resolver_letsencrypt
+      traefik.http.routers.wiki.entrypoints: entry_https
+      traefik.http.services.wiki.loadbalancer.server.port: 80
+
+      traefik.http.routers.wiki.middlewares: nforwardauth
+#      traefik.http.routers.wiki.middlewares: ldap_auth
+#
+#    # ldapAuth Options
+#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.enabled: true
+#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.logLevel: DEBUG
+#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.url: ldap://lldap-app
+#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.port: 3890
+#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.baseDN: "ou=people,dc=grote,dc=lan"
+#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.attribute: uid
+
+      com.centurylinklabs.watchtower.enable: true
+
+######## Networks ########
+networks:
+  traefik:
+    external: true

host_vars/docker10.grote.lan.yml

@@ -76,6 +76,12 @@ compose_files:
   - name: whoami
     state: absent
     network: traefik_test
+  - name: wiki
+    state: present
+    network: traefik
+  - name: lldap
+    state: absent
+    network: ldap
 
 ### oefenweb.ufw
 ufw_rules:

roles/mgrote_docker_compose_inline/tasks/main.yml

@@ -37,6 +37,7 @@
     dest: "{{ compose_dest_basedir }}/{{ item | replace(compose_src_basedir + '/', '') | replace('.j2', '') }}"
   with_items: "{{ lookup('pipe', 'find '+ compose_src_basedir +'/ -type f -name *.j2').split('\n') }}"
   no_log: true
+  register: copy_template
 
 - name: Ensure needed networks exists
   become: true