diff --git a/docker-compose/gramps/docker-compose.yml.j2 b/docker-compose/gramps/docker-compose.yml.j2 index 597a3dce..91e4d925 100644 --- a/docker-compose/gramps/docker-compose.yml.j2 +++ b/docker-compose/gramps/docker-compose.yml.j2 @@ -62,5 +62,3 @@ volumes: gramps_db: gramps_media: gramps_tmp: - -# checkliste diff --git a/docker-compose/miniflux/docker-compose.yml.j2 b/docker-compose/miniflux/docker-compose.yml.j2 index 4c6071a6..8d596cb6 100644 --- a/docker-compose/miniflux/docker-compose.yml.j2 +++ b/docker-compose/miniflux/docker-compose.yml.j2 @@ -2,7 +2,7 @@ services: ######## Miniflux ######## miniflux: container_name: "mf-frontend" - image: "ghcr.io/miniflux/miniflux:2.2.2" + image: "ghcr.io/miniflux/miniflux:2.2.3" restart: unless-stopped pull_policy: missing depends_on: diff --git a/docker-compose/minio/docker-compose.yml.j2 b/docker-compose/minio/docker-compose.yml.j2 index 39d2b830..e1da6f25 100644 --- a/docker-compose/minio/docker-compose.yml.j2 +++ b/docker-compose/minio/docker-compose.yml.j2 @@ -1,11 +1,11 @@ services: minio: - image: minio/minio:latest # add to renovate; https://github.com/renovatebot/renovate/issues/2438 + image: minio/minio:latest # TODO: add to renovate; https://github.com/renovatebot/renovate/issues/2438 container_name: minio restart: unless-stopped pull_policy: missing ports: - # - '9000:9000' # S3 + # - '9000:9000' # S3, nur über traefik - '9001:9001' # WebUI networks: - traefik @@ -30,17 +30,6 @@ services: traefik.http.routers.minio-s3.tls.certresolver: resolver_letsencrypt traefik.http.routers.minio-s3.entrypoints: entry_https traefik.http.services.minio-s3.loadbalancer.server.port: 9000 - # WebUI - # traefik.http.routers.minio-ui.service: minio-ui - # traefik.http.routers.minio-ui.priority: "20" - # traefik.http.routers.minio-ui.rule: Host(`ui-s3.mgrote.net`) - # traefik.http.routers.minio-ui.tls: true - # traefik.http.routers.minio-ui.tls.certresolver: resolver_letsencrypt - # traefik.http.routers.minio-ui.entrypoints: entry_https - # traefik.http.services.minio-ui.loadbalancer.server.port: 9001 - # traefik.http.routers.minio-ui.middlewares: minio-ui-ipallowlist # also entferne den Prefix danach wieder - # traefik.http.middlewares.minio-ui-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24 - # traefik.http.middlewares.minio-ui-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth ######## Networks ######## networks: diff --git a/docker-compose/registry/docker-compose.yml.j2 b/docker-compose/registry/docker-compose.yml.j2 index a6e3096d..01f5147c 100644 --- a/docker-compose/registry/docker-compose.yml.j2 +++ b/docker-compose/registry/docker-compose.yml.j2 @@ -6,7 +6,6 @@ services: image: "registry:2.8.3" volumes: - oci:/var/lib/registry - - ./htpasswd:/auth/htpasswd networks: - traefik - intern @@ -25,7 +24,7 @@ services: REGISTRY_STORAGE_DELETE_ENABLED: true REGISTRY_CATALOG_MAXENTRIES: 100000 # https://github.com/Joxit/docker-registry-ui/issues/306 # https://joxit.dev/docker-registry-ui/#using-cors - REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[https://registry.mgrote.net/ui/]' + REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[https://rui.mgrote.net]' REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]' REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]' REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]' @@ -38,10 +37,7 @@ services: traefik.http.routers.registry.entrypoints: entry_https traefik.http.services.registry.loadbalancer.server.port: 5000 - traefik.http.routers.registry.middlewares: registry-ipallowlist - - traefik.http.middlewares.registry-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24,172.18.0.0/16 # .48. ist Docker - traefik.http.middlewares.registry-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth + traefik.http.routers.registry.middlewares: allowlist_localnet@file,ratelimit40@file # registry aufräumen: docker exec -it oci-registry /bin/registry garbage-collect /etc/docker/registry/config.yml @@ -91,25 +87,20 @@ services: timeout: 10s retries: 3 labels: - traefik.http.routers.registry-ui.rule: Host(`registry.mgrote.net`)&&PathPrefix(`/ui`) # mache unter /ui erreichbar, damit wird demPfad dieser Prefix hinzugefügt, die Anwendung "hört" dort abrer nicht - traefik.http.routers.registry-ui.middlewares: registry-ui-strip-prefix,registry-ui-ipallowlist # also entferne den Prefix danach wieder - traefik.http.middlewares.registry-ui-strip-prefix.stripprefix.prefixes: /ui # hier ist die Middleware definiert + traefik.http.routers.registry-ui.rule: Host(`rui.mgrote.net`) + traefik.http.routers.registry-ui.middlewares: allowlist_localnet@file,ratelimit40@file,authelia@docker traefik.enable: true traefik.http.routers.registry-ui.tls: true traefik.http.routers.registry-ui.tls.certresolver: resolver_letsencrypt traefik.http.routers.registry-ui.entrypoints: entry_https traefik.http.services.registry-ui.loadbalancer.server.port: 80 - traefik.http.middlewares.registry-ui-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24 # .48. ist Docker - traefik.http.middlewares.registry-ui-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth - ######## Networks ######## networks: traefik: external: true intern: - ######## Volumes ######## volumes: oci: diff --git a/docker-compose/traefik/configuration.yml.j2 b/docker-compose/traefik/configuration.yml.j2 index 03ee4ea0..34b8085a 100644 --- a/docker-compose/traefik/configuration.yml.j2 +++ b/docker-compose/traefik/configuration.yml.j2 @@ -3,6 +3,8 @@ server.address: "0.0.0.0:9091" +theme: auto + log: level: debug @@ -19,6 +21,10 @@ access_control: policy: one_factor subject: - 'group:authelia_wiki' + - domain: rui.mgrote.net + policy: one_factor + subject: + - 'group:authelia_registry-ui' session: name: authelia_session diff --git a/docker-compose/traefik/docker-compose.yml.j2 b/docker-compose/traefik/docker-compose.yml.j2 index 40ff6641..49a0000d 100644 --- a/docker-compose/traefik/docker-compose.yml.j2 +++ b/docker-compose/traefik/docker-compose.yml.j2 @@ -26,6 +26,8 @@ services: interval: 30s timeout: 10s retries: 3 + depends_on: + - authelia ######## authelia ######## authelia: @@ -51,6 +53,7 @@ services: traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email depends_on: - authelia-redis + - authelia-db networks: - traefik - postfix diff --git a/docker-compose/traefik/file-provider.yml b/docker-compose/traefik/file-provider.yml index b6f6f9ae..07e207f0 100644 --- a/docker-compose/traefik/file-provider.yml +++ b/docker-compose/traefik/file-provider.yml @@ -2,27 +2,36 @@ http: ###### router ##### routers: - router_gitea: + router_forgejo: rule: "Host(`git.mgrote.net`)" - service: "service_gitea" + service: "service_forgejo" middlewares: - - "ratelimit" + - "ratelimit40@file" entrypoints: - entry_https tls: certresolver: resolver_letsencrypt ###### services ##### services: - service_gitea: + service_forgejo: loadBalancer: servers: - url: "http://forgejo.mgrote.net:3000/" ###### middlewares ##### middlewares: - ratelimit: + ratelimit40: rateLimit: average: 40 burst: 80 sourceCriterion: ipStrategy: depth: 2 + allowlist_localnet: + ipallowlist: + sourcerange: + - 192.168.2.0/24 + - 10.25.25.0/24 + - 192.168.48.0/24 # docker + - 172.18.0.0/16 # gitea-act-runner + ipstrategy: + depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth diff --git a/docker-compose/traefik/traefik.yml b/docker-compose/traefik/traefik.yml index a7e97548..4db15bc0 100644 --- a/docker-compose/traefik/traefik.yml +++ b/docker-compose/traefik/traefik.yml @@ -31,7 +31,7 @@ certificatesResolvers: tlsChallenge: true log: - level: INFO + level: INFO # TRACE , DEBUG , INFO , WARN , ERROR , FATAL , PANIC accessLog: {} diff --git a/docker-compose/wiki/docker-compose.yml.j2 b/docker-compose/wiki/docker-compose.yml.j2 index 6bc7930b..4b1c26f3 100644 --- a/docker-compose/wiki/docker-compose.yml.j2 +++ b/docker-compose/wiki/docker-compose.yml.j2 @@ -26,7 +26,7 @@ services: traefik.http.routers.wiki.entrypoints: entry_https traefik.http.services.wiki.loadbalancer.server.port: 80 - traefik.http.routers.wiki.middlewares: authelia + traefik.http.routers.wiki.middlewares: authelia@docker ######## Networks ######## networks: diff --git a/group_vars/blocky.yml b/group_vars/blocky.yml index 585779dc..7eefd60a 100644 --- a/group_vars/blocky.yml +++ b/group_vars/blocky.yml @@ -90,6 +90,8 @@ blocky_custom_lookups: # optional ip: 192.168.2.40 - name: s3.mgrote.net ip: 192.168.2.43 + - name: rui.mgrote.net + ip: 192.168.2.43 ### mgrote_munin_node # kann git.mgrote.net nicht auflösen, deshalb hiermit IP