Add services
This commit is contained in:
parent
585dbbde02
commit
07f27f274d
13 changed files with 418 additions and 0 deletions
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
build/*
|
||||||
|
!build/.gitkeep
|
15
.helpers/render.sh
Normal file
15
.helpers/render.sh
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
#
|
||||||
|
set -o errexit
|
||||||
|
set -o nounset
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
|
directory=$1
|
||||||
|
|
||||||
|
export $(xargs < ./config/production.cfg)
|
||||||
|
mkdir -p build/${directory}
|
||||||
|
|
||||||
|
for i in $(find "./templates/${directory}" -mindepth 1 -type f); do
|
||||||
|
file=$(basename ${i})
|
||||||
|
envsubst < "./templates/${directory}/${file}" > "./build/${directory}/${file}"
|
||||||
|
done
|
10
Makefile
Normal file
10
Makefile
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
all: compose traefik gitea
|
||||||
|
|
||||||
|
compose:
|
||||||
|
bash ./.helpers/render.sh compose
|
||||||
|
|
||||||
|
traefik: compose
|
||||||
|
bash ./.helpers/render.sh traefik
|
||||||
|
|
||||||
|
gitea: compose
|
||||||
|
bash ./.helpers/render.sh gitea
|
0
build/.gitkeep
Normal file
0
build/.gitkeep
Normal file
94
templates/compose/docker-compose.yaml
Normal file
94
templates/compose/docker-compose.yaml
Normal file
|
@ -0,0 +1,94 @@
|
||||||
|
---
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
forge:
|
||||||
|
name: "forge-flow"
|
||||||
|
ipam:
|
||||||
|
driver: "default"
|
||||||
|
config:
|
||||||
|
- subnet: "${NETWORK_FORGE_FLOW_SUBNET}"
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
traefik-shared:
|
||||||
|
name: "traefik-config-shared-volume"
|
||||||
|
|
||||||
|
services:
|
||||||
|
# -- Traffic flow --
|
||||||
|
traefik:
|
||||||
|
container_name: "traffic-flow"
|
||||||
|
build:
|
||||||
|
args:
|
||||||
|
TRAEFIK_VERSION: "${TRAEFIK_VERSION}"
|
||||||
|
context: "./traefik"
|
||||||
|
networks:
|
||||||
|
forge:
|
||||||
|
ipv4_address: "${TRAEFIK_CONTAINER_IPV4_ADDRESS}"
|
||||||
|
ports:
|
||||||
|
- target: 80
|
||||||
|
published: 80
|
||||||
|
protocol: "tcp"
|
||||||
|
mode: "host"
|
||||||
|
- target: 443
|
||||||
|
published: 443
|
||||||
|
protocol: "tcp"
|
||||||
|
mode: "host"
|
||||||
|
- target: ${TRAEFIK_EXTERNAL_SSH_PORT}
|
||||||
|
published: ${TRAEFIK_EXTERNAL_SSH_PORT}
|
||||||
|
protocol: "tcp"
|
||||||
|
mode: "host"
|
||||||
|
restart: "always"
|
||||||
|
volumes:
|
||||||
|
- type: "volume"
|
||||||
|
source: "traefik-shared"
|
||||||
|
target: "${TRAEFIK_SHARED_MOUNT_POINT}"
|
||||||
|
- type: "bind"
|
||||||
|
source: "/etc/timezone"
|
||||||
|
target: "/etc/timezone"
|
||||||
|
read_only: true
|
||||||
|
- type: "bind"
|
||||||
|
source: "/etc/localtime"
|
||||||
|
target: "/etc/localtime"
|
||||||
|
read_only: true
|
||||||
|
# Traefik TLS volume
|
||||||
|
- type: "bind"
|
||||||
|
source: "${TRAEFIK_TLS_HOST_DIR}"
|
||||||
|
target: "${TRAEFIK_TLS_CONTAINER_DIR}"
|
||||||
|
# -- Code flow --
|
||||||
|
gitea:
|
||||||
|
container_name: "code-flow"
|
||||||
|
build:
|
||||||
|
args:
|
||||||
|
FLOW_GID: "${FLOW_GID}"
|
||||||
|
FLOW_UID: "${FLOW_UID}"
|
||||||
|
GITEA_HOME: "${GITEA_HOME}"
|
||||||
|
GITEA_WORK_DIR: "${GITEA_WORK_DIR}"
|
||||||
|
GITEA_CUSTOM: "${GITEA_CUSTOM}"
|
||||||
|
GITEA_APP_INI: "${GITEA_APP_INI}"
|
||||||
|
GITEA_BIN: "${GITEA_BIN}"
|
||||||
|
GITEA_DATA_CONTAINER_DIR: "${GITEA_DATA_CONTAINER_DIR}"
|
||||||
|
GITEA_TMP: "${GITEA_TMP}"
|
||||||
|
context: "./gitea"
|
||||||
|
expose:
|
||||||
|
- "${GITEA_SSH_PORT}"
|
||||||
|
- "${GITEA_HTTP_PORT}"
|
||||||
|
networks:
|
||||||
|
forge:
|
||||||
|
ipv4_address: "${GITEA_CONTAINER_IPV4_ADDRESS}"
|
||||||
|
restart: "always"
|
||||||
|
volumes:
|
||||||
|
- type: "volume"
|
||||||
|
source: "traefik-shared"
|
||||||
|
target: "${TRAEFIK_SHARED_MOUNT_POINT}"
|
||||||
|
- type: "bind"
|
||||||
|
source: "/etc/timezone"
|
||||||
|
target: "/etc/timezone"
|
||||||
|
read_only: true
|
||||||
|
- type: "bind"
|
||||||
|
source: "/etc/localtime"
|
||||||
|
target: "/etc/localtime"
|
||||||
|
read_only: true
|
||||||
|
# Gitea data volume
|
||||||
|
- type: "bind"
|
||||||
|
source: "${GITEA_DATA_HOST_DIR}"
|
||||||
|
target: "${GITEA_DATA_CONTAINER_DIR}"
|
54
templates/gitea/Dockerfile
Normal file
54
templates/gitea/Dockerfile
Normal file
|
@ -0,0 +1,54 @@
|
||||||
|
# This is a custom made Dockerfile for Gitea which is inspired from
|
||||||
|
# the official Dockerfile.rootless from https://github.com/go-gitea/gitea/
|
||||||
|
FROM alpine:3.15.0
|
||||||
|
|
||||||
|
ARG FLOW_UID
|
||||||
|
ARG FLOW_GID
|
||||||
|
ARG GITEA_HOME
|
||||||
|
ARG GITEA_WORK_DIR
|
||||||
|
ARG GITEA_CUSTOM
|
||||||
|
ARG GITEA_APP_INI
|
||||||
|
ARG GITEA_BIN
|
||||||
|
ARG GITEA_DATA_CONTAINER_DIR
|
||||||
|
ARG GITEA_TMP
|
||||||
|
|
||||||
|
RUN apk --no-cache add \
|
||||||
|
bash \
|
||||||
|
ca-certificates \
|
||||||
|
gettext \
|
||||||
|
git \
|
||||||
|
curl \
|
||||||
|
gnupg \
|
||||||
|
openssh-keygen
|
||||||
|
|
||||||
|
RUN addgroup -S -g ${FLOW_GID} flow && \
|
||||||
|
adduser -S -H -D -h ${GITEA_HOME} -s /bin/bash -u ${FLOW_UID} -G flow git && \
|
||||||
|
mkdir -p ${GITEA_DATA_CONTAINER_DIR} ${GITEA_TMP} && \
|
||||||
|
chown git ${GITEA_DATA_CONTAINER_DIR} && chmod 0700 ${GITEA_DATA_CONTAINER_DIR} && \
|
||||||
|
chown git ${GITEA_TMP} && chmod 0700 ${GITEA_TMP}
|
||||||
|
|
||||||
|
ADD --chown=root:root gitea ${GITEA_BIN}
|
||||||
|
ADD app.ini ${GITEA_APP_INI}
|
||||||
|
ADD entrypoint.sh /usr/local/bin/entrypoint.sh
|
||||||
|
ADD --chown=${FLOW_UID}:${FLOW_GID} dynamic_git.yaml ${GITEA_TMP}/
|
||||||
|
|
||||||
|
RUN chown -R ${FLOW_UID}:${FLOW_UID} ${GITEA_APP_INI} && \
|
||||||
|
chmod 0400 ${GITEA_APP_INI} && \
|
||||||
|
chmod a+x ${GITEA_BIN} && \
|
||||||
|
chmod a+rx /usr/local/bin/entrypoint.sh
|
||||||
|
|
||||||
|
ENV GITEA_WORK_DIR=${GITEA_WORK_DIR} \
|
||||||
|
GITEA_CUSTOM=${GITEA_CUSTOM} \
|
||||||
|
GITEA_APP_INI=${GITEA_APP_INI} \
|
||||||
|
GITEA_BIN=${GITEA_BIN} \
|
||||||
|
HOME=${GITEA_HOME}
|
||||||
|
|
||||||
|
USER ${FLOW_UID}:${FLOW_GID}
|
||||||
|
|
||||||
|
WORKDIR /flow/gitea/data
|
||||||
|
|
||||||
|
VOLUME ["/flow/gitea/data"]
|
||||||
|
|
||||||
|
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
|
||||||
|
|
||||||
|
CMD []
|
105
templates/gitea/app.ini
Normal file
105
templates/gitea/app.ini
Normal file
|
@ -0,0 +1,105 @@
|
||||||
|
APP_NAME = ${GITEA_APP_NAME}
|
||||||
|
RUN_USER = git
|
||||||
|
RUN_MODE = ${GITEA_RUN_MODE}
|
||||||
|
|
||||||
|
[repository]
|
||||||
|
ROOT = ${GITEA_DATA_CONTAINER_DIR}/git/repositories
|
||||||
|
DEFAULT_BRANCH = main
|
||||||
|
|
||||||
|
[repository.local]
|
||||||
|
LOCAL_COPY_PATH = ${GITEA_TMP}/local-repo
|
||||||
|
|
||||||
|
[repository.upload]
|
||||||
|
TEMP_PATH = ${GITEA_TMP}/uploads
|
||||||
|
|
||||||
|
[repository.signing]
|
||||||
|
; Gitea will sign initial commits only if the user has a public key.
|
||||||
|
INITIAL_COMMIT = pubkey
|
||||||
|
|
||||||
|
[ui]
|
||||||
|
DEFAULT_THEME = arc-green
|
||||||
|
|
||||||
|
[server]
|
||||||
|
APP_DATA_PATH = ${GITEA_DATA_CONTAINER_DIR}/git
|
||||||
|
DOMAIN = ${GITEA_DOMAIN}
|
||||||
|
HTTP_ADDR = ${GITEA_CONTAINER_IPV4_ADDRESS}
|
||||||
|
HTTP_PORT = ${GITEA_HTTP_PORT}
|
||||||
|
ROOT_URL = https://${GITEA_DOMAIN}
|
||||||
|
DISABLE_SSH = false
|
||||||
|
START_SSH_SERVER = true
|
||||||
|
SSH_DOMAIN = ${GITEA_DOMAIN}
|
||||||
|
SSH_PORT = ${TRAEFIK_EXTERNAL_SSH_PORT}
|
||||||
|
SSH_LISTEN_HOST = ${GITEA_CONTAINER_IPV4_ADDRESS}
|
||||||
|
SSH_LISTEN_PORT = ${GITEA_SSH_PORT}
|
||||||
|
BUILTIN_SSH_SERVER_USER = git
|
||||||
|
LFS_START_SERVER = false
|
||||||
|
LFS_CONTENT_PATH = ${GITEA_DATA_CONTAINER_DIR}/git/lfs
|
||||||
|
|
||||||
|
[ssh.minimum_key_sizes]
|
||||||
|
ED25519 = 256
|
||||||
|
ECDSA = 256
|
||||||
|
RSA = 4096
|
||||||
|
DSA = -1
|
||||||
|
|
||||||
|
[database]
|
||||||
|
DB_TYPE = sqlite3
|
||||||
|
PATH = ${GITEA_DATA_CONTAINER_DIR}/database/gitea.db
|
||||||
|
HOST = localhost:3306
|
||||||
|
NAME = gitea
|
||||||
|
USER = gitea
|
||||||
|
PASSWD =
|
||||||
|
|
||||||
|
[indexer]
|
||||||
|
ISSUE_INDEXER_PATH = ${GITEA_DATA_CONTAINER_DIR}/indexers/issues.bleve
|
||||||
|
|
||||||
|
[session]
|
||||||
|
PROVIDER_CONFIG = ${GITEA_DATA_CONTAINER_DIR}/sessions
|
||||||
|
|
||||||
|
[queue]
|
||||||
|
DATADIR = ${GITEA_DATA_CONTAINER_DIR}/queues
|
||||||
|
|
||||||
|
[admin]
|
||||||
|
DISABLE_REGULAR_ORG_CREATION = true
|
||||||
|
DEFAULT_EMAIL_NOTIFICATION = disabled
|
||||||
|
|
||||||
|
[security]
|
||||||
|
INSTALL_LOCK = true
|
||||||
|
SECRET_KEY = ${GITEA_SECRET_KEY}
|
||||||
|
INTERNAL_TOKEN = ${GITEA_INTERNAL_TOKEN}
|
||||||
|
LOGIN_REMEMBER_DAYS = 1
|
||||||
|
MIN_PASSWORD_LENGTH = 12
|
||||||
|
PASSWORD_COMPLEXITY = lower,upper,digit
|
||||||
|
|
||||||
|
[service]
|
||||||
|
DISABLE_REGISTRATION = true
|
||||||
|
|
||||||
|
[service.explore]
|
||||||
|
REQUIRE_SIGNIN_VIEW = false
|
||||||
|
|
||||||
|
[picture]
|
||||||
|
AVATAR_UPLOAD_PATH = ${GITEA_DATA_CONTAINER_DIR}/avatars
|
||||||
|
REPOSITORY_AVATAR_UPLOAD_PATH = ${GITEA_DATA_CONTAINER_DIR}/repo-avatars
|
||||||
|
|
||||||
|
[attachment]
|
||||||
|
ENABLED = true
|
||||||
|
PATH = ${GITEA_DATA_CONTAINER_DIR}/attachments
|
||||||
|
|
||||||
|
[log]
|
||||||
|
ROOT_PATH = ${GITEA_DATA_CONTAINER_DIR}/log
|
||||||
|
MODE = console
|
||||||
|
LEVEL = ${GITEA_LOG_LEVEL}
|
||||||
|
|
||||||
|
[log.console]
|
||||||
|
STDERR = false
|
||||||
|
|
||||||
|
[i18n]
|
||||||
|
LANGS = en-US
|
||||||
|
NAMES = English
|
||||||
|
|
||||||
|
[other]
|
||||||
|
SHOW_FOOTER_BRANDING = true
|
||||||
|
SHOW_FOOTER_VERSION = false
|
||||||
|
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false
|
||||||
|
|
||||||
|
[oauth2]
|
||||||
|
ENABLE = false
|
28
templates/gitea/dynamic_git.yaml
Normal file
28
templates/gitea/dynamic_git.yaml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
---
|
||||||
|
http:
|
||||||
|
routers:
|
||||||
|
gitea:
|
||||||
|
entryPoints:
|
||||||
|
- "https"
|
||||||
|
rule: "Host(`${GITEA_DOMAIN}`)"
|
||||||
|
service: "git"
|
||||||
|
tls:
|
||||||
|
certResolver: resolver
|
||||||
|
services:
|
||||||
|
git:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: "http://${GITEA_CONTAINER_IPV4_ADDRESS}:${GITEA_HTTP_PORT}/"
|
||||||
|
|
||||||
|
tcp:
|
||||||
|
routers:
|
||||||
|
gitSSH:
|
||||||
|
entryPoints:
|
||||||
|
- "gitSSH"
|
||||||
|
rule: "HostSNI(`*`)"
|
||||||
|
service: "gitSSH"
|
||||||
|
services:
|
||||||
|
gitSSH:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- address: "${GITEA_CONTAINER_IPV4_ADDRESS}:${GITEA_SSH_PORT}"
|
26
templates/gitea/entrypoint.sh
Normal file
26
templates/gitea/entrypoint.sh
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
# Create the home directory.
|
||||||
|
if ! [ -d ${GITEA_HOME} ]; then
|
||||||
|
mkdir -p ${GITEA_HOME}
|
||||||
|
chmod 0700 ${GITEA_HOME}
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create the custom directory.
|
||||||
|
if ! [ -d ${GITEA_CUSTOM} ]; then
|
||||||
|
mkdir -p ${GITEA_CUSTOM}
|
||||||
|
chmod 0500 ${GITEA_CUSTOM}
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Move the dynamic Traefik config to the shared volume.
|
||||||
|
if [ -f /flow/gitea/tmp/dynamic_git.yaml ]; then
|
||||||
|
mv /flow/gitea/tmp/dynamic_git.yaml ${TRAEFIK_SHARED_MOUNT_POINT}/dynamic/dynamic_git.yaml
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $# -gt 0 ]; then
|
||||||
|
exec "$@"
|
||||||
|
else
|
||||||
|
exec ${GITEA_BIN} -c ${GITEA_APP_INI} web
|
||||||
|
fi
|
11
templates/traefik/Dockerfile
Normal file
11
templates/traefik/Dockerfile
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
FROM traefik:${TRAEFIK_VERSION}
|
||||||
|
|
||||||
|
ADD traefik.yaml /flow/traefik/
|
||||||
|
|
||||||
|
ADD entrypoint.sh /
|
||||||
|
|
||||||
|
ADD dynamic_dashboard.yaml /tmp/
|
||||||
|
|
||||||
|
RUN chmod +x /entrypoint.sh
|
||||||
|
|
||||||
|
CMD ["--configfile=/flow/traefik/traefik.yaml"]
|
10
templates/traefik/dynamic_dashboard.yaml
Normal file
10
templates/traefik/dynamic_dashboard.yaml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
http:
|
||||||
|
routers:
|
||||||
|
dashboard:
|
||||||
|
entryPoints:
|
||||||
|
- "https"
|
||||||
|
rule: "Host(`${ROOT_DOMAIN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
|
||||||
|
service: "api@internal"
|
||||||
|
tls:
|
||||||
|
certResolver: resolver
|
28
templates/traefik/entrypoint.sh
Normal file
28
templates/traefik/entrypoint.sh
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
#!/bin/sh
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Create the dynamic config directory in the shared volume.
|
||||||
|
mkdir -p ${TRAEFIK_SHARED_MOUNT_POINT}/dynamic
|
||||||
|
chgrp ${FLOW_GID} ${TRAEFIK_SHARED_MOUNT_POINT}/dynamic
|
||||||
|
chmod a-rwx,u+rwx,g+rwx ${TRAEFIK_SHARED_MOUNT_POINT}/dynamic
|
||||||
|
|
||||||
|
# Move the dashboard config to the new directory.
|
||||||
|
if [ -f /tmp/dynamic_dashboard.yaml ]; then
|
||||||
|
mv /tmp/dynamic_dashboard.yaml ${TRAEFIK_SHARED_MOUNT_POINT}/dynamic/dynamic_dashboard.yaml
|
||||||
|
fi
|
||||||
|
|
||||||
|
# first arg is `-f` or `--some-option`
|
||||||
|
if [ "${1#-}" != "$1" ]; then
|
||||||
|
set -- traefik "$@"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# if our command is a valid Traefik subcommand, let's invoke it through Traefik instead
|
||||||
|
# (this allows for "docker run traefik version", etc)
|
||||||
|
if traefik "$1" --help >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
set -- traefik "$@"
|
||||||
|
else
|
||||||
|
echo "= '$1' is not a Traefik command: assuming shell execution." 1>&2
|
||||||
|
fi
|
||||||
|
|
||||||
|
exec "$@"
|
35
templates/traefik/traefik.yaml
Normal file
35
templates/traefik/traefik.yaml
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
---
|
||||||
|
global:
|
||||||
|
checkNewVersion: ${TRAEFIK_CHECK_NEW_VERSION}
|
||||||
|
sendAnonymousUsage: ${TRAEFIK_SEND_ANONYMOUS_USAGE}
|
||||||
|
api:
|
||||||
|
insecure: false
|
||||||
|
dashboard: true
|
||||||
|
debug: false
|
||||||
|
entryPoints:
|
||||||
|
http:
|
||||||
|
address: "${TRAEFIK_CONTAINER_IP}:80"
|
||||||
|
http:
|
||||||
|
redirections:
|
||||||
|
entryPoint:
|
||||||
|
to: "https"
|
||||||
|
scheme: "https"
|
||||||
|
permanent: true
|
||||||
|
https:
|
||||||
|
address: "${TRAEFIK_CONTAINER_IPV4_ADDRESS}:443"
|
||||||
|
gitSSH:
|
||||||
|
address: "${TRAEFIK_CONTAINER_IPV4_ADDRESS}:${TRAEFIK_EXTERNAL_SSH_PORT}"
|
||||||
|
providers:
|
||||||
|
file:
|
||||||
|
watch: true
|
||||||
|
directory: "${TRAEFIK_SHARED_MOUNT_POINT}/dynamic"
|
||||||
|
certificatesResolvers:
|
||||||
|
resolver:
|
||||||
|
acme:
|
||||||
|
caServer: "${TRAEFIK_ACME_CA_SERVER}"
|
||||||
|
email: "${TRAEFIK_ACME_EMAIL}"
|
||||||
|
storage: "${TRAEFIK_TLS_CONTAINER_DIR}/acme.json"
|
||||||
|
keyType: "RSA4096"
|
||||||
|
tlsChallenge: {}
|
||||||
|
log:
|
||||||
|
level: "${TRAEFIK_LOG_LEVEL}"
|
Loading…
Reference in a new issue