From 2abfc73c95d3449dc916c0748c05f3e6613f9019 Mon Sep 17 00:00:00 2001 From: mustard Date: Fri, 6 Dec 2024 21:52:11 +0100 Subject: [PATCH] Refactored docker compose for forgejo. Added static IPs to allow containers to run without host networking. Improved healthchecks and depends_on. Improved reverse_proxy config. --- config/nginx/forgejo.conf | 63 +++++++++++++++++++++++++---- docker-compose-forgejo.yaml | 80 +++++++++++-------------------------- 2 files changed, 79 insertions(+), 64 deletions(-) diff --git a/config/nginx/forgejo.conf b/config/nginx/forgejo.conf index b737b1d..9191515 100644 --- a/config/nginx/forgejo.conf +++ b/config/nginx/forgejo.conf @@ -21,8 +21,9 @@ http include /etc/nginx/mime.types; default_type application/octet-stream; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' +# log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + log_format main '$proxy_protocol_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; @@ -37,20 +38,33 @@ http include /etc/nginx/conf.d/*.conf; + server { + listen 8080; + listen [::]:8080; + server_name homelab0ne.xyz forgejoever.homelab0ne.xyz; + + return 301 https://$host$request_uri; + } + + server { - listen 8443 ssl; - listen [::]:8443 ssl; + listen 8444 ssl proxy_protocol; + listen [::]:8444 ssl proxy_protocol; + listen 8443 ssl; + listen [::]:8443 ssl; ssl_certificate /etc/nginx/ssl/cert.pem; ssl_certificate_key /etc/nginx/ssl/key.pem; server_name forgejoever.homelab0ne.xyz; - location / + + + location / { - proxy_pass http://forgejoever:3000; + proxy_pass http://172.20.0.5:3000; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; - + # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; @@ -59,6 +73,41 @@ http } + server + { + listen 8444 ssl proxy_protocol; + listen [::]:8444 ssl proxy_protocol; + port_in_redirect off; + ssl_certificate /etc/nginx/ssl/cert.pem; + ssl_certificate_key /etc/nginx/ssl/key.pem; + server_name homelab0ne.xyz; + location / + { + root /usr/share/nginx/html; + index index.html index.htm; + } + + + } + + server { + listen 8080; + listen [::]:8080; + server_name www.homelab0ne.xyz; + return 301 https://$host$request_uri; + } } + +stream { +server + { + listen 30022; + proxy_connect_timeout 1s; + proxy_timeout 3s; + proxy_pass 172.20.0.5:30022; + # proxy_protocol on; + ssl_preread on; + } +} diff --git a/docker-compose-forgejo.yaml b/docker-compose-forgejo.yaml index ade2517..2bcb35d 100644 --- a/docker-compose-forgejo.yaml +++ b/docker-compose-forgejo.yaml @@ -1,103 +1,69 @@ services: forgejo: - image: codeberg.org/forgejo/forgejo:8-rootless + image: codeberg.org/forgejo/forgejo:9-rootless container_name: forgejo - secrets: - - forgejo_internal_token - - forgejo_root_password - - forgejo_secret_key - - lfs_jwt_secret - - oauth_jwt_secret - - postgres_user_password - env_file: - - ./.secrets/forgejo.env - - ./config/forgejo/forgejo.env - environment: - USER_UID: 1000 - USER_GID: 1000 - # FORGEJO__database__NAME: forgejodb - # FORGEJO__database__USER: forgejo - # FORGEJO__database__HOST: postgres:5432 -# FORGEJO__database__PASSWD_FILE: /run/secrets/postgres_user_password -# FORGEJO__database__PASSWD: "${FORGEJO__database__PASSWD}" - # FORGEJO__server__LFS_JWT_SECRET: "${FORGEJO__server__LFS_JWT_SECRET}" - # FORGEJO__security__SECRET_KEY: "${FORGEJO__security__SECRET_KEY}" - # FORGEJO__security__INTERNAL_TOKEN: "${FORGEJO__security__INTERNAL_TOKEN}" - # FORGEJO__oauth2__JWT_SECRET: "${FORGEJO__oauth2__JWT_SECRET}" - ROOT_PASSWORD_FILE: /run/secrets/forgejo_root_password + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:3000"] + environment: + ROOT_PASSWORD_FILE: /run/secrets/forgejo_root_password restart: always networks: forgejo: - aliases: - - forgejoever + ipv4_address: 172.20.0.5 volumes: - ./data/forgejo:/var/lib/gitea:Z - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro - ports: - - "3000:3000" - - "30022:30022" depends_on: - postgres - reverse-proxy: + reverse_proxy: image: ghcr.io/nginxinc/nginx-unprivileged:mainline-alpine-slim container_name: reverse_proxy restart: always ports: - "443:8443" - volumes: + - "8444:8444" + - "80:8080" + - "30022:30022" + volumes: - ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - ./config/nginx/tls.conf:/etc/nginx/conf.d/tls.conf:ro - ./data/certs:/etc/nginx/ssl:ro + - /home/static_site/public:/usr/share/nginx/html:ro networks: - forgejo - frontend + depends_on: + forgejo: + condition: service_healthy + restart: true acme.sh: command: - daemon container_name: acme.sh env_file: - ./.secrets/acme.env -# environment: -# DEDYN_TOKEN: "${DEDYN_TOKEN}" - image: 'ghcr.io/polarix-containers/acme.sh:latest' + image: ghcr.io/polarix-containers/acme.sh:latest restart: always volumes: - ./data/acme.sh:/acme.sh:Z - ./data/certs:/certs:z postgres: container_name: postgres - image: cgr.dev/chainguard/postgres:latest + image: ghcr.io/polarix-containers/postgres:16 volumes: - ./data/postgres:/var/lib/postgresql/data:Z - restart: unless-stopped - ports: - - 5432:5432 + restart: always env_file: - ./.secrets/acme.env -# environment: -# POSTGRES_USER: "forgejo" -# POSTGRES_DB: "forgejodb" -# POSTGRES_PASSWORD: "${POSTGRES_PASSWORD}" networks: forgejo: - aliases: - - db + ipv4_address: 172.20.0.6 networks: forgejo: + ipam: + config: + - subnet: 172.20.0.0/24 external: false frontend: driver: bridge -secrets: - forgejo_internal_token: - file: ./.secrets/forgejo_internal_token - forgejo_root_password: - file: ./.secrets/forgejo_root_password - forgejo_secret_key: - file: ./.secrets/forgejo_secret_key - lfs_jwt_secret: - file: ./.secrets/lfs_jwt_secret - oauth_jwt_secret: - file: ./.secrets/oauth_jwt_secret - postgres_user_password: - file: ./.secrets/postgres_user_password