docker-compose/gramps/docker-compose.yml.j2

@@ -62,5 +62,3 @@ volumes:
   gramps_db:
   gramps_media:
   gramps_tmp:
-
-# checkliste

docker-compose/miniflux/docker-compose.yml.j2

@@ -2,7 +2,7 @@ services:
 ######## Miniflux ########
   miniflux:
     container_name: "mf-frontend"
-    image: "ghcr.io/miniflux/miniflux:2.2.2"
+    image: "ghcr.io/miniflux/miniflux:2.2.3"
     restart: unless-stopped
     pull_policy: missing
     depends_on:

docker-compose/minio/docker-compose.yml.j2

@@ -1,11 +1,11 @@
 services:
   minio:
-    image: minio/minio:latest # add to renovate; https://github.com/renovatebot/renovate/issues/2438
+    image: minio/minio:latest # TODO: add to renovate; https://github.com/renovatebot/renovate/issues/2438
     container_name: minio
     restart: unless-stopped
     pull_policy: missing
     ports:
-      # - '9000:9000' # S3
+      # - '9000:9000' # S3, nur über traefik
       - '9001:9001' # WebUI
     networks:
       - traefik
@@ -30,17 +30,6 @@ services:
       traefik.http.routers.minio-s3.tls.certresolver: resolver_letsencrypt
       traefik.http.routers.minio-s3.entrypoints: entry_https
       traefik.http.services.minio-s3.loadbalancer.server.port: 9000
-      # WebUI
-      # traefik.http.routers.minio-ui.service: minio-ui
-      # traefik.http.routers.minio-ui.priority: "20"
-      # traefik.http.routers.minio-ui.rule: Host(`ui-s3.mgrote.net`)
-      # traefik.http.routers.minio-ui.tls: true
-      # traefik.http.routers.minio-ui.tls.certresolver: resolver_letsencrypt
-      # traefik.http.routers.minio-ui.entrypoints: entry_https
-      # traefik.http.services.minio-ui.loadbalancer.server.port: 9001
-      # traefik.http.routers.minio-ui.middlewares: minio-ui-ipallowlist # also entferne den Prefix danach wieder
-      # traefik.http.middlewares.minio-ui-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24
-      # traefik.http.middlewares.minio-ui-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth
 
 ######## Networks ########
 networks:

docker-compose/registry/docker-compose.yml.j2

@@ -6,7 +6,6 @@ services:
     image: "registry:2.8.3"
     volumes:
       - oci:/var/lib/registry
-      - ./htpasswd:/auth/htpasswd
     networks:
       - traefik
       - intern
@@ -25,7 +24,7 @@ services:
       REGISTRY_STORAGE_DELETE_ENABLED: true
       REGISTRY_CATALOG_MAXENTRIES: 100000 # https://github.com/Joxit/docker-registry-ui/issues/306
       # https://joxit.dev/docker-registry-ui/#using-cors
-      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[https://registry.mgrote.net/ui/]'
+      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[https://rui.mgrote.net]'
       REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
       REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
       REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
@@ -38,10 +37,7 @@ services:
       traefik.http.routers.registry.entrypoints: entry_https
       traefik.http.services.registry.loadbalancer.server.port: 5000
 
-      traefik.http.routers.registry.middlewares: registry-ipallowlist
+      traefik.http.routers.registry.middlewares: allowlist_localnet@file,ratelimit40@file
-
-      traefik.http.middlewares.registry-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24,172.18.0.0/16 # .48. ist Docker
-      traefik.http.middlewares.registry-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth
 
     # registry aufräumen: docker exec -it oci-registry /bin/registry garbage-collect /etc/docker/registry/config.yml
 
@@ -91,25 +87,20 @@ services:
       timeout: 10s
       retries: 3
     labels:
-      traefik.http.routers.registry-ui.rule: Host(`registry.mgrote.net`)&&PathPrefix(`/ui`) # mache unter /ui erreichbar, damit wird demPfad dieser Prefix hinzugefügt, die Anwendung "hört" dort abrer nicht
+      traefik.http.routers.registry-ui.rule: Host(`rui.mgrote.net`)
-      traefik.http.routers.registry-ui.middlewares: registry-ui-strip-prefix,registry-ui-ipallowlist # also entferne den Prefix danach wieder
+      traefik.http.routers.registry-ui.middlewares: allowlist_localnet@file,ratelimit40@file,authelia@docker
-      traefik.http.middlewares.registry-ui-strip-prefix.stripprefix.prefixes: /ui # hier ist die Middleware definiert
       traefik.enable: true
       traefik.http.routers.registry-ui.tls: true
       traefik.http.routers.registry-ui.tls.certresolver: resolver_letsencrypt
       traefik.http.routers.registry-ui.entrypoints: entry_https
       traefik.http.services.registry-ui.loadbalancer.server.port: 80
 
-      traefik.http.middlewares.registry-ui-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24 # .48. ist Docker
-      traefik.http.middlewares.registry-ui-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth
-
 ######## Networks ########
 networks:
   traefik:
     external: true
   intern:
 
-
 ######## Volumes ########
 volumes:
   oci:

docker-compose/traefik/configuration.yml.j2

@@ -3,6 +3,8 @@
 
 server.address: "0.0.0.0:9091"
 
+theme: auto
+
 log:
   level: debug
 
@@ -19,6 +21,10 @@ access_control:
       policy: one_factor
       subject:
         - 'group:authelia_wiki'
+    - domain: rui.mgrote.net
+      policy: one_factor
+      subject:
+        - 'group:authelia_registry-ui'
 
 session:
   name: authelia_session

docker-compose/traefik/docker-compose.yml.j2

@@ -26,6 +26,8 @@ services:
       interval: 30s
       timeout: 10s
       retries: 3
+    depends_on:
+      - authelia
 
 ######## authelia ########
   authelia:
@@ -51,6 +53,7 @@ services:
       traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email
     depends_on:
       - authelia-redis
+      - authelia-db
     networks:
       - traefik
       - postfix

docker-compose/traefik/file-provider.yml

@@ -2,27 +2,36 @@
 http:
 ###### router #####
   routers:
-    router_gitea:
+    router_forgejo:
       rule: "Host(`git.mgrote.net`)"
-      service: "service_gitea"
+      service: "service_forgejo"
       middlewares:
-        - "ratelimit"
+        - "ratelimit40@file"
       entrypoints:
         - entry_https
       tls:
         certresolver: resolver_letsencrypt
 ###### services #####
   services:
-    service_gitea:
+    service_forgejo:
       loadBalancer:
         servers:
           - url: "http://forgejo.mgrote.net:3000/"
 ###### middlewares #####
   middlewares:
-    ratelimit:
+    ratelimit40:
       rateLimit:
         average: 40
         burst: 80
         sourceCriterion:
           ipStrategy:
             depth: 2
+    allowlist_localnet:
+      ipallowlist:
+        sourcerange:
+          - 192.168.2.0/24
+          - 10.25.25.0/24
+          - 192.168.48.0/24 # docker
+          - 172.18.0.0/16 # gitea-act-runner
+        ipstrategy:
+          depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth

docker-compose/traefik/traefik.yml

@@ -31,7 +31,7 @@ certificatesResolvers:
       tlsChallenge: true
 
 log:
-  level: INFO
+  level: INFO # TRACE , DEBUG , INFO , WARN , ERROR , FATAL , PANIC
 
 accessLog: {}
 

docker-compose/wiki/docker-compose.yml.j2

@@ -26,7 +26,7 @@ services:
       traefik.http.routers.wiki.entrypoints: entry_https
       traefik.http.services.wiki.loadbalancer.server.port: 80
 
-      traefik.http.routers.wiki.middlewares: authelia
+      traefik.http.routers.wiki.middlewares: authelia@docker
 
 ######## Networks ########
 networks:

group_vars/blocky.yml

@@ -90,6 +90,8 @@ blocky_custom_lookups: # optional
     ip: 192.168.2.40
   - name: s3.mgrote.net
     ip: 192.168.2.43
+  - name: rui.mgrote.net
+    ip: 192.168.2.43
 
 ### mgrote_munin_node
 # kann git.mgrote.net nicht auflösen, deshalb hiermit IP