From 31031608b8a409a4d72b8355040d95e2c45a3b02 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Sun, 10 Nov 2024 17:29:04 +0100 Subject: [PATCH 1/5] add authelia to registry-ui (#234) Reviewed-on: https://git.mgrote.net/mg/homeserver/pulls/234 Co-authored-by: Michael Grote Co-committed-by: Michael Grote --- docker-compose/registry/docker-compose.yml.j2 | 6 ++---- docker-compose/traefik/configuration.yml.j2 | 6 ++++++ docker-compose/traefik/docker-compose.yml.j2 | 3 +++ group_vars/blocky.yml | 2 ++ 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/docker-compose/registry/docker-compose.yml.j2 b/docker-compose/registry/docker-compose.yml.j2 index a6e3096d..6dda59a6 100644 --- a/docker-compose/registry/docker-compose.yml.j2 +++ b/docker-compose/registry/docker-compose.yml.j2 @@ -91,9 +91,8 @@ services: timeout: 10s retries: 3 labels: - traefik.http.routers.registry-ui.rule: Host(`registry.mgrote.net`)&&PathPrefix(`/ui`) # mache unter /ui erreichbar, damit wird demPfad dieser Prefix hinzugefügt, die Anwendung "hört" dort abrer nicht - traefik.http.routers.registry-ui.middlewares: registry-ui-strip-prefix,registry-ui-ipallowlist # also entferne den Prefix danach wieder - traefik.http.middlewares.registry-ui-strip-prefix.stripprefix.prefixes: /ui # hier ist die Middleware definiert + traefik.http.routers.registry-ui.rule: Host(`rui.mgrote.net`) + traefik.http.routers.registry-ui.middlewares: authelia,registry-ui-ipallowlist # also entferne den Prefix danach wieder traefik.enable: true traefik.http.routers.registry-ui.tls: true traefik.http.routers.registry-ui.tls.certresolver: resolver_letsencrypt @@ -109,7 +108,6 @@ networks: external: true intern: - ######## Volumes ######## volumes: oci: diff --git a/docker-compose/traefik/configuration.yml.j2 b/docker-compose/traefik/configuration.yml.j2 index 03ee4ea0..34b8085a 100644 --- a/docker-compose/traefik/configuration.yml.j2 +++ b/docker-compose/traefik/configuration.yml.j2 @@ -3,6 +3,8 @@ server.address: "0.0.0.0:9091" +theme: auto + log: level: debug @@ -19,6 +21,10 @@ access_control: policy: one_factor subject: - 'group:authelia_wiki' + - domain: rui.mgrote.net + policy: one_factor + subject: + - 'group:authelia_registry-ui' session: name: authelia_session diff --git a/docker-compose/traefik/docker-compose.yml.j2 b/docker-compose/traefik/docker-compose.yml.j2 index 40ff6641..49a0000d 100644 --- a/docker-compose/traefik/docker-compose.yml.j2 +++ b/docker-compose/traefik/docker-compose.yml.j2 @@ -26,6 +26,8 @@ services: interval: 30s timeout: 10s retries: 3 + depends_on: + - authelia ######## authelia ######## authelia: @@ -51,6 +53,7 @@ services: traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email depends_on: - authelia-redis + - authelia-db networks: - traefik - postfix diff --git a/group_vars/blocky.yml b/group_vars/blocky.yml index 585779dc..7eefd60a 100644 --- a/group_vars/blocky.yml +++ b/group_vars/blocky.yml @@ -90,6 +90,8 @@ blocky_custom_lookups: # optional ip: 192.168.2.40 - name: s3.mgrote.net ip: 192.168.2.43 + - name: rui.mgrote.net + ip: 192.168.2.43 ### mgrote_munin_node # kann git.mgrote.net nicht auflösen, deshalb hiermit IP From 977b66495ad5b27d186457a686796ad5556cae52 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Sun, 10 Nov 2024 17:30:54 +0100 Subject: [PATCH 2/5] traefik: rename router --- docker-compose/traefik/file-provider.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker-compose/traefik/file-provider.yml b/docker-compose/traefik/file-provider.yml index b6f6f9ae..5ee6e198 100644 --- a/docker-compose/traefik/file-provider.yml +++ b/docker-compose/traefik/file-provider.yml @@ -2,9 +2,9 @@ http: ###### router ##### routers: - router_gitea: + router_forgejo: rule: "Host(`git.mgrote.net`)" - service: "service_gitea" + service: "service_forgejo" middlewares: - "ratelimit" entrypoints: @@ -13,7 +13,7 @@ http: certresolver: resolver_letsencrypt ###### services ##### services: - service_gitea: + service_forgejo: loadBalancer: servers: - url: "http://forgejo.mgrote.net:3000/" From b4860abb6a5108af92337e7e3a6c0d0a2c21d1d3 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Sun, 10 Nov 2024 18:07:12 +0100 Subject: [PATCH 3/5] traefik: combine all allowlist into fileprovider (#235) Reviewed-on: https://git.mgrote.net/mg/homeserver/pulls/235 Co-authored-by: Michael Grote Co-committed-by: Michael Grote --- docker-compose/gramps/docker-compose.yml.j2 | 2 -- docker-compose/minio/docker-compose.yml.j2 | 15 ++------------- docker-compose/registry/docker-compose.yml.j2 | 10 ++-------- docker-compose/traefik/file-provider.yml | 13 +++++++++++-- docker-compose/traefik/traefik.yml | 2 +- docker-compose/wiki/docker-compose.yml.j2 | 2 +- 6 files changed, 17 insertions(+), 27 deletions(-) diff --git a/docker-compose/gramps/docker-compose.yml.j2 b/docker-compose/gramps/docker-compose.yml.j2 index 597a3dce..91e4d925 100644 --- a/docker-compose/gramps/docker-compose.yml.j2 +++ b/docker-compose/gramps/docker-compose.yml.j2 @@ -62,5 +62,3 @@ volumes: gramps_db: gramps_media: gramps_tmp: - -# checkliste diff --git a/docker-compose/minio/docker-compose.yml.j2 b/docker-compose/minio/docker-compose.yml.j2 index 39d2b830..e1da6f25 100644 --- a/docker-compose/minio/docker-compose.yml.j2 +++ b/docker-compose/minio/docker-compose.yml.j2 @@ -1,11 +1,11 @@ services: minio: - image: minio/minio:latest # add to renovate; https://github.com/renovatebot/renovate/issues/2438 + image: minio/minio:latest # TODO: add to renovate; https://github.com/renovatebot/renovate/issues/2438 container_name: minio restart: unless-stopped pull_policy: missing ports: - # - '9000:9000' # S3 + # - '9000:9000' # S3, nur über traefik - '9001:9001' # WebUI networks: - traefik @@ -30,17 +30,6 @@ services: traefik.http.routers.minio-s3.tls.certresolver: resolver_letsencrypt traefik.http.routers.minio-s3.entrypoints: entry_https traefik.http.services.minio-s3.loadbalancer.server.port: 9000 - # WebUI - # traefik.http.routers.minio-ui.service: minio-ui - # traefik.http.routers.minio-ui.priority: "20" - # traefik.http.routers.minio-ui.rule: Host(`ui-s3.mgrote.net`) - # traefik.http.routers.minio-ui.tls: true - # traefik.http.routers.minio-ui.tls.certresolver: resolver_letsencrypt - # traefik.http.routers.minio-ui.entrypoints: entry_https - # traefik.http.services.minio-ui.loadbalancer.server.port: 9001 - # traefik.http.routers.minio-ui.middlewares: minio-ui-ipallowlist # also entferne den Prefix danach wieder - # traefik.http.middlewares.minio-ui-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24 - # traefik.http.middlewares.minio-ui-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth ######## Networks ######## networks: diff --git a/docker-compose/registry/docker-compose.yml.j2 b/docker-compose/registry/docker-compose.yml.j2 index 6dda59a6..5d59adb1 100644 --- a/docker-compose/registry/docker-compose.yml.j2 +++ b/docker-compose/registry/docker-compose.yml.j2 @@ -38,10 +38,7 @@ services: traefik.http.routers.registry.entrypoints: entry_https traefik.http.services.registry.loadbalancer.server.port: 5000 - traefik.http.routers.registry.middlewares: registry-ipallowlist - - traefik.http.middlewares.registry-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24,172.18.0.0/16 # .48. ist Docker - traefik.http.middlewares.registry-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth + traefik.http.routers.registry.middlewares: allowlist_localnet@file,ratelimit40@file # registry aufräumen: docker exec -it oci-registry /bin/registry garbage-collect /etc/docker/registry/config.yml @@ -92,16 +89,13 @@ services: retries: 3 labels: traefik.http.routers.registry-ui.rule: Host(`rui.mgrote.net`) - traefik.http.routers.registry-ui.middlewares: authelia,registry-ui-ipallowlist # also entferne den Prefix danach wieder + traefik.http.routers.registry-ui.middlewares: allowlist_localnet@file,ratelimit40@file,authelia@docker traefik.enable: true traefik.http.routers.registry-ui.tls: true traefik.http.routers.registry-ui.tls.certresolver: resolver_letsencrypt traefik.http.routers.registry-ui.entrypoints: entry_https traefik.http.services.registry-ui.loadbalancer.server.port: 80 - traefik.http.middlewares.registry-ui-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24 # .48. ist Docker - traefik.http.middlewares.registry-ui-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth - ######## Networks ######## networks: traefik: diff --git a/docker-compose/traefik/file-provider.yml b/docker-compose/traefik/file-provider.yml index 5ee6e198..081918fc 100644 --- a/docker-compose/traefik/file-provider.yml +++ b/docker-compose/traefik/file-provider.yml @@ -6,7 +6,7 @@ http: rule: "Host(`git.mgrote.net`)" service: "service_forgejo" middlewares: - - "ratelimit" + - "ratelimit40@file" entrypoints: - entry_https tls: @@ -19,10 +19,19 @@ http: - url: "http://forgejo.mgrote.net:3000/" ###### middlewares ##### middlewares: - ratelimit: + ratelimit40: rateLimit: average: 40 burst: 80 sourceCriterion: ipStrategy: depth: 2 + allowlist_localnet: + ipallowlist: + sourcerange: + - 192.168.2.0/24 + - 10.25.25.0/24 + - 192.168.48.0/24 # docker + #- 172.18.0.0/16 # ??? + ipstrategy: + depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth diff --git a/docker-compose/traefik/traefik.yml b/docker-compose/traefik/traefik.yml index a7e97548..4db15bc0 100644 --- a/docker-compose/traefik/traefik.yml +++ b/docker-compose/traefik/traefik.yml @@ -31,7 +31,7 @@ certificatesResolvers: tlsChallenge: true log: - level: INFO + level: INFO # TRACE , DEBUG , INFO , WARN , ERROR , FATAL , PANIC accessLog: {} diff --git a/docker-compose/wiki/docker-compose.yml.j2 b/docker-compose/wiki/docker-compose.yml.j2 index 6bc7930b..4b1c26f3 100644 --- a/docker-compose/wiki/docker-compose.yml.j2 +++ b/docker-compose/wiki/docker-compose.yml.j2 @@ -26,7 +26,7 @@ services: traefik.http.routers.wiki.entrypoints: entry_https traefik.http.services.wiki.loadbalancer.server.port: 80 - traefik.http.routers.wiki.middlewares: authelia + traefik.http.routers.wiki.middlewares: authelia@docker ######## Networks ######## networks: From d22e8101e51c10648724143d982977f95be40b44 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Sun, 10 Nov 2024 19:45:26 +0100 Subject: [PATCH 4/5] traefik/registry: fix docker push --- docker-compose/registry/docker-compose.yml.j2 | 3 +-- docker-compose/traefik/file-provider.yml | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/docker-compose/registry/docker-compose.yml.j2 b/docker-compose/registry/docker-compose.yml.j2 index 5d59adb1..01f5147c 100644 --- a/docker-compose/registry/docker-compose.yml.j2 +++ b/docker-compose/registry/docker-compose.yml.j2 @@ -6,7 +6,6 @@ services: image: "registry:2.8.3" volumes: - oci:/var/lib/registry - - ./htpasswd:/auth/htpasswd networks: - traefik - intern @@ -25,7 +24,7 @@ services: REGISTRY_STORAGE_DELETE_ENABLED: true REGISTRY_CATALOG_MAXENTRIES: 100000 # https://github.com/Joxit/docker-registry-ui/issues/306 # https://joxit.dev/docker-registry-ui/#using-cors - REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[https://registry.mgrote.net/ui/]' + REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[https://rui.mgrote.net]' REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]' REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]' REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]' diff --git a/docker-compose/traefik/file-provider.yml b/docker-compose/traefik/file-provider.yml index 081918fc..07e207f0 100644 --- a/docker-compose/traefik/file-provider.yml +++ b/docker-compose/traefik/file-provider.yml @@ -32,6 +32,6 @@ http: - 192.168.2.0/24 - 10.25.25.0/24 - 192.168.48.0/24 # docker - #- 172.18.0.0/16 # ??? + - 172.18.0.0/16 # gitea-act-runner ipstrategy: depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth From 6e44d5cdd3d19d9f011c6e6503ec527644159898 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 11 Nov 2024 04:06:29 +0000 Subject: [PATCH 5/5] chore(deps): update ghcr.io/miniflux/miniflux docker tag to v2.2.3 --- docker-compose/miniflux/docker-compose.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose/miniflux/docker-compose.yml.j2 b/docker-compose/miniflux/docker-compose.yml.j2 index 4c6071a6..8d596cb6 100644 --- a/docker-compose/miniflux/docker-compose.yml.j2 +++ b/docker-compose/miniflux/docker-compose.yml.j2 @@ -2,7 +2,7 @@ services: ######## Miniflux ######## miniflux: container_name: "mf-frontend" - image: "ghcr.io/miniflux/miniflux:2.2.2" + image: "ghcr.io/miniflux/miniflux:2.2.3" restart: unless-stopped pull_policy: missing depends_on: