Merge branch 'master' into rsync_mirror_logging
This commit is contained in:
commit
8c39ef4ed4
10 changed files with 34 additions and 36 deletions
|
@ -62,5 +62,3 @@ volumes:
|
||||||
gramps_db:
|
gramps_db:
|
||||||
gramps_media:
|
gramps_media:
|
||||||
gramps_tmp:
|
gramps_tmp:
|
||||||
|
|
||||||
# checkliste
|
|
||||||
|
|
|
@ -2,7 +2,7 @@ services:
|
||||||
######## Miniflux ########
|
######## Miniflux ########
|
||||||
miniflux:
|
miniflux:
|
||||||
container_name: "mf-frontend"
|
container_name: "mf-frontend"
|
||||||
image: "ghcr.io/miniflux/miniflux:2.2.2"
|
image: "ghcr.io/miniflux/miniflux:2.2.3"
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
pull_policy: missing
|
pull_policy: missing
|
||||||
depends_on:
|
depends_on:
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
services:
|
services:
|
||||||
minio:
|
minio:
|
||||||
image: minio/minio:latest # add to renovate; https://github.com/renovatebot/renovate/issues/2438
|
image: minio/minio:latest # TODO: add to renovate; https://github.com/renovatebot/renovate/issues/2438
|
||||||
container_name: minio
|
container_name: minio
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
pull_policy: missing
|
pull_policy: missing
|
||||||
ports:
|
ports:
|
||||||
# - '9000:9000' # S3
|
# - '9000:9000' # S3, nur über traefik
|
||||||
- '9001:9001' # WebUI
|
- '9001:9001' # WebUI
|
||||||
networks:
|
networks:
|
||||||
- traefik
|
- traefik
|
||||||
|
@ -30,17 +30,6 @@ services:
|
||||||
traefik.http.routers.minio-s3.tls.certresolver: resolver_letsencrypt
|
traefik.http.routers.minio-s3.tls.certresolver: resolver_letsencrypt
|
||||||
traefik.http.routers.minio-s3.entrypoints: entry_https
|
traefik.http.routers.minio-s3.entrypoints: entry_https
|
||||||
traefik.http.services.minio-s3.loadbalancer.server.port: 9000
|
traefik.http.services.minio-s3.loadbalancer.server.port: 9000
|
||||||
# WebUI
|
|
||||||
# traefik.http.routers.minio-ui.service: minio-ui
|
|
||||||
# traefik.http.routers.minio-ui.priority: "20"
|
|
||||||
# traefik.http.routers.minio-ui.rule: Host(`ui-s3.mgrote.net`)
|
|
||||||
# traefik.http.routers.minio-ui.tls: true
|
|
||||||
# traefik.http.routers.minio-ui.tls.certresolver: resolver_letsencrypt
|
|
||||||
# traefik.http.routers.minio-ui.entrypoints: entry_https
|
|
||||||
# traefik.http.services.minio-ui.loadbalancer.server.port: 9001
|
|
||||||
# traefik.http.routers.minio-ui.middlewares: minio-ui-ipallowlist # also entferne den Prefix danach wieder
|
|
||||||
# traefik.http.middlewares.minio-ui-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24
|
|
||||||
# traefik.http.middlewares.minio-ui-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth
|
|
||||||
|
|
||||||
######## Networks ########
|
######## Networks ########
|
||||||
networks:
|
networks:
|
||||||
|
|
|
@ -6,7 +6,6 @@ services:
|
||||||
image: "registry:2.8.3"
|
image: "registry:2.8.3"
|
||||||
volumes:
|
volumes:
|
||||||
- oci:/var/lib/registry
|
- oci:/var/lib/registry
|
||||||
- ./htpasswd:/auth/htpasswd
|
|
||||||
networks:
|
networks:
|
||||||
- traefik
|
- traefik
|
||||||
- intern
|
- intern
|
||||||
|
@ -25,7 +24,7 @@ services:
|
||||||
REGISTRY_STORAGE_DELETE_ENABLED: true
|
REGISTRY_STORAGE_DELETE_ENABLED: true
|
||||||
REGISTRY_CATALOG_MAXENTRIES: 100000 # https://github.com/Joxit/docker-registry-ui/issues/306
|
REGISTRY_CATALOG_MAXENTRIES: 100000 # https://github.com/Joxit/docker-registry-ui/issues/306
|
||||||
# https://joxit.dev/docker-registry-ui/#using-cors
|
# https://joxit.dev/docker-registry-ui/#using-cors
|
||||||
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[https://registry.mgrote.net/ui/]'
|
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[https://rui.mgrote.net]'
|
||||||
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
|
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
|
||||||
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
|
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
|
||||||
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
|
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
|
||||||
|
@ -38,10 +37,7 @@ services:
|
||||||
traefik.http.routers.registry.entrypoints: entry_https
|
traefik.http.routers.registry.entrypoints: entry_https
|
||||||
traefik.http.services.registry.loadbalancer.server.port: 5000
|
traefik.http.services.registry.loadbalancer.server.port: 5000
|
||||||
|
|
||||||
traefik.http.routers.registry.middlewares: registry-ipallowlist
|
traefik.http.routers.registry.middlewares: allowlist_localnet@file,ratelimit40@file
|
||||||
|
|
||||||
traefik.http.middlewares.registry-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24,172.18.0.0/16 # .48. ist Docker
|
|
||||||
traefik.http.middlewares.registry-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth
|
|
||||||
|
|
||||||
# registry aufräumen: docker exec -it oci-registry /bin/registry garbage-collect /etc/docker/registry/config.yml
|
# registry aufräumen: docker exec -it oci-registry /bin/registry garbage-collect /etc/docker/registry/config.yml
|
||||||
|
|
||||||
|
@ -91,25 +87,20 @@ services:
|
||||||
timeout: 10s
|
timeout: 10s
|
||||||
retries: 3
|
retries: 3
|
||||||
labels:
|
labels:
|
||||||
traefik.http.routers.registry-ui.rule: Host(`registry.mgrote.net`)&&PathPrefix(`/ui`) # mache unter /ui erreichbar, damit wird demPfad dieser Prefix hinzugefügt, die Anwendung "hört" dort abrer nicht
|
traefik.http.routers.registry-ui.rule: Host(`rui.mgrote.net`)
|
||||||
traefik.http.routers.registry-ui.middlewares: registry-ui-strip-prefix,registry-ui-ipallowlist # also entferne den Prefix danach wieder
|
traefik.http.routers.registry-ui.middlewares: allowlist_localnet@file,ratelimit40@file,authelia@docker
|
||||||
traefik.http.middlewares.registry-ui-strip-prefix.stripprefix.prefixes: /ui # hier ist die Middleware definiert
|
|
||||||
traefik.enable: true
|
traefik.enable: true
|
||||||
traefik.http.routers.registry-ui.tls: true
|
traefik.http.routers.registry-ui.tls: true
|
||||||
traefik.http.routers.registry-ui.tls.certresolver: resolver_letsencrypt
|
traefik.http.routers.registry-ui.tls.certresolver: resolver_letsencrypt
|
||||||
traefik.http.routers.registry-ui.entrypoints: entry_https
|
traefik.http.routers.registry-ui.entrypoints: entry_https
|
||||||
traefik.http.services.registry-ui.loadbalancer.server.port: 80
|
traefik.http.services.registry-ui.loadbalancer.server.port: 80
|
||||||
|
|
||||||
traefik.http.middlewares.registry-ui-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24 # .48. ist Docker
|
|
||||||
traefik.http.middlewares.registry-ui-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth
|
|
||||||
|
|
||||||
######## Networks ########
|
######## Networks ########
|
||||||
networks:
|
networks:
|
||||||
traefik:
|
traefik:
|
||||||
external: true
|
external: true
|
||||||
intern:
|
intern:
|
||||||
|
|
||||||
|
|
||||||
######## Volumes ########
|
######## Volumes ########
|
||||||
volumes:
|
volumes:
|
||||||
oci:
|
oci:
|
||||||
|
|
|
@ -3,6 +3,8 @@
|
||||||
|
|
||||||
server.address: "0.0.0.0:9091"
|
server.address: "0.0.0.0:9091"
|
||||||
|
|
||||||
|
theme: auto
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: debug
|
||||||
|
|
||||||
|
@ -19,6 +21,10 @@ access_control:
|
||||||
policy: one_factor
|
policy: one_factor
|
||||||
subject:
|
subject:
|
||||||
- 'group:authelia_wiki'
|
- 'group:authelia_wiki'
|
||||||
|
- domain: rui.mgrote.net
|
||||||
|
policy: one_factor
|
||||||
|
subject:
|
||||||
|
- 'group:authelia_registry-ui'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
name: authelia_session
|
name: authelia_session
|
||||||
|
|
|
@ -26,6 +26,8 @@ services:
|
||||||
interval: 30s
|
interval: 30s
|
||||||
timeout: 10s
|
timeout: 10s
|
||||||
retries: 3
|
retries: 3
|
||||||
|
depends_on:
|
||||||
|
- authelia
|
||||||
|
|
||||||
######## authelia ########
|
######## authelia ########
|
||||||
authelia:
|
authelia:
|
||||||
|
@ -51,6 +53,7 @@ services:
|
||||||
traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email
|
traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email
|
||||||
depends_on:
|
depends_on:
|
||||||
- authelia-redis
|
- authelia-redis
|
||||||
|
- authelia-db
|
||||||
networks:
|
networks:
|
||||||
- traefik
|
- traefik
|
||||||
- postfix
|
- postfix
|
||||||
|
|
|
@ -2,27 +2,36 @@
|
||||||
http:
|
http:
|
||||||
###### router #####
|
###### router #####
|
||||||
routers:
|
routers:
|
||||||
router_gitea:
|
router_forgejo:
|
||||||
rule: "Host(`git.mgrote.net`)"
|
rule: "Host(`git.mgrote.net`)"
|
||||||
service: "service_gitea"
|
service: "service_forgejo"
|
||||||
middlewares:
|
middlewares:
|
||||||
- "ratelimit"
|
- "ratelimit40@file"
|
||||||
entrypoints:
|
entrypoints:
|
||||||
- entry_https
|
- entry_https
|
||||||
tls:
|
tls:
|
||||||
certresolver: resolver_letsencrypt
|
certresolver: resolver_letsencrypt
|
||||||
###### services #####
|
###### services #####
|
||||||
services:
|
services:
|
||||||
service_gitea:
|
service_forgejo:
|
||||||
loadBalancer:
|
loadBalancer:
|
||||||
servers:
|
servers:
|
||||||
- url: "http://forgejo.mgrote.net:3000/"
|
- url: "http://forgejo.mgrote.net:3000/"
|
||||||
###### middlewares #####
|
###### middlewares #####
|
||||||
middlewares:
|
middlewares:
|
||||||
ratelimit:
|
ratelimit40:
|
||||||
rateLimit:
|
rateLimit:
|
||||||
average: 40
|
average: 40
|
||||||
burst: 80
|
burst: 80
|
||||||
sourceCriterion:
|
sourceCriterion:
|
||||||
ipStrategy:
|
ipStrategy:
|
||||||
depth: 2
|
depth: 2
|
||||||
|
allowlist_localnet:
|
||||||
|
ipallowlist:
|
||||||
|
sourcerange:
|
||||||
|
- 192.168.2.0/24
|
||||||
|
- 10.25.25.0/24
|
||||||
|
- 192.168.48.0/24 # docker
|
||||||
|
- 172.18.0.0/16 # gitea-act-runner
|
||||||
|
ipstrategy:
|
||||||
|
depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth
|
||||||
|
|
|
@ -31,7 +31,7 @@ certificatesResolvers:
|
||||||
tlsChallenge: true
|
tlsChallenge: true
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: INFO
|
level: INFO # TRACE , DEBUG , INFO , WARN , ERROR , FATAL , PANIC
|
||||||
|
|
||||||
accessLog: {}
|
accessLog: {}
|
||||||
|
|
||||||
|
|
|
@ -26,7 +26,7 @@ services:
|
||||||
traefik.http.routers.wiki.entrypoints: entry_https
|
traefik.http.routers.wiki.entrypoints: entry_https
|
||||||
traefik.http.services.wiki.loadbalancer.server.port: 80
|
traefik.http.services.wiki.loadbalancer.server.port: 80
|
||||||
|
|
||||||
traefik.http.routers.wiki.middlewares: authelia
|
traefik.http.routers.wiki.middlewares: authelia@docker
|
||||||
|
|
||||||
######## Networks ########
|
######## Networks ########
|
||||||
networks:
|
networks:
|
||||||
|
|
|
@ -90,6 +90,8 @@ blocky_custom_lookups: # optional
|
||||||
ip: 192.168.2.40
|
ip: 192.168.2.40
|
||||||
- name: s3.mgrote.net
|
- name: s3.mgrote.net
|
||||||
ip: 192.168.2.43
|
ip: 192.168.2.43
|
||||||
|
- name: rui.mgrote.net
|
||||||
|
ip: 192.168.2.43
|
||||||
|
|
||||||
### mgrote_munin_node
|
### mgrote_munin_node
|
||||||
# kann git.mgrote.net nicht auflösen, deshalb hiermit IP
|
# kann git.mgrote.net nicht auflösen, deshalb hiermit IP
|
||||||
|
|
Loading…
Reference in a new issue