Refactored docker compose for forgejo. Added static IPs to allow containers to run without host networking. Improved healthchecks and depends_on. Improved reverse_proxy config.
This commit is contained in:
		
							parent
							
								
									b6bd97eae9
								
							
						
					
					
						commit
						2abfc73c95
					
				
					 2 changed files with 79 additions and 64 deletions
				
			
		|  | @ -21,8 +21,9 @@ http | ||||||
|         include /etc/nginx/mime.types; |         include /etc/nginx/mime.types; | ||||||
|         default_type application/octet-stream; |         default_type application/octet-stream; | ||||||
| 
 | 
 | ||||||
|         log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | #        log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | ||||||
|         '$status $body_bytes_sent "$http_referer" ' | 	log_format main '$proxy_protocol_addr - $remote_user [$time_local] "$request" ' | ||||||
|  | 	'$status $body_bytes_sent "$http_referer" ' | ||||||
|         '"$http_user_agent" "$http_x_forwarded_for"'; |         '"$http_user_agent" "$http_x_forwarded_for"'; | ||||||
| 
 | 
 | ||||||
|         access_log /var/log/nginx/access.log main; |         access_log /var/log/nginx/access.log main; | ||||||
|  | @ -37,20 +38,33 @@ http | ||||||
|         include /etc/nginx/conf.d/*.conf; |         include /etc/nginx/conf.d/*.conf; | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  |         server { | ||||||
|  |                 listen       8080; | ||||||
|  |                 listen   [::]:8080; | ||||||
|  |                 server_name homelab0ne.xyz forgejoever.homelab0ne.xyz; | ||||||
|  | 
 | ||||||
|  |                 return 301 https://$host$request_uri; | ||||||
|  |         } | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|         server |         server | ||||||
|         { |         { | ||||||
|                 listen 8443 ssl; | 		listen 8444 ssl proxy_protocol; | ||||||
|                 listen [::]:8443 ssl; |                 listen [::]:8444 ssl proxy_protocol; | ||||||
|  | 		listen 8443 ssl; | ||||||
|  | 		listen [::]:8443 ssl; | ||||||
|                 ssl_certificate /etc/nginx/ssl/cert.pem; |                 ssl_certificate /etc/nginx/ssl/cert.pem; | ||||||
|                 ssl_certificate_key /etc/nginx/ssl/key.pem; |                 ssl_certificate_key /etc/nginx/ssl/key.pem; | ||||||
|                 server_name forgejoever.homelab0ne.xyz; |                 server_name forgejoever.homelab0ne.xyz; | ||||||
|                 location /  | 	 | ||||||
|  | 
 | ||||||
|  | 		location /  | ||||||
|                 { |                 { | ||||||
|                        proxy_pass http://forgejoever:3000; |                        proxy_pass http://172.20.0.5:3000; | ||||||
|                        proxy_set_header X-Forwarded-For $remote_addr; |                        proxy_set_header X-Forwarded-For $remote_addr; | ||||||
|                        proxy_set_header X-Forwarded-Proto $scheme; |                        proxy_set_header X-Forwarded-Proto $scheme; | ||||||
|                        proxy_set_header Host $host; |                        proxy_set_header Host $host; | ||||||
| 
 | 		       | ||||||
|         # Nginx by default only allows file uploads up to 1M in size |         # Nginx by default only allows file uploads up to 1M in size | ||||||
|         # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml |         # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml | ||||||
|                        client_max_body_size 50M; |                        client_max_body_size 50M; | ||||||
|  | @ -59,6 +73,41 @@ http | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|         } |         } | ||||||
|  |         server | ||||||
|  |         { | ||||||
|  |                 listen 8444 ssl proxy_protocol; | ||||||
|  |                 listen [::]:8444 ssl proxy_protocol; | ||||||
|  | 		port_in_redirect off; | ||||||
|  |                 ssl_certificate /etc/nginx/ssl/cert.pem; | ||||||
|  |                 ssl_certificate_key /etc/nginx/ssl/key.pem; | ||||||
|  |                 server_name homelab0ne.xyz; | ||||||
|  |                 location /  | ||||||
|  |                 { | ||||||
|  |                        root /usr/share/nginx/html; | ||||||
|  | 		       index index.html index.htm; | ||||||
|  |                 } | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  |         } | ||||||
|  | 	 | ||||||
|  | 	server { | ||||||
|  | 		listen 8080; | ||||||
|  | 		listen [::]:8080; | ||||||
|  | 		server_name www.homelab0ne.xyz; | ||||||
|  | 		return 301 https://$host$request_uri; | ||||||
|  | 	} | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| } | } | ||||||
|  | 
 | ||||||
|  | stream { | ||||||
|  | server  | ||||||
|  | 	{ | ||||||
|  |                 listen 30022; | ||||||
|  |                 proxy_connect_timeout 1s; | ||||||
|  |                 proxy_timeout 3s; | ||||||
|  |                 proxy_pass 172.20.0.5:30022; | ||||||
|  |         #        proxy_protocol on; | ||||||
|  |                 ssl_preread on; | ||||||
|  |        } | ||||||
|  | } | ||||||
|  |  | ||||||
|  | @ -1,103 +1,69 @@ | ||||||
| services: | services: | ||||||
|   forgejo: |   forgejo: | ||||||
|     image: codeberg.org/forgejo/forgejo:8-rootless |     image: codeberg.org/forgejo/forgejo:9-rootless | ||||||
|     container_name: forgejo |     container_name: forgejo | ||||||
|     secrets: |     healthcheck: | ||||||
|       - forgejo_internal_token |       test: ["CMD", "curl", "-f", "http://localhost:3000"] | ||||||
|       - forgejo_root_password |     environment: | ||||||
|       - forgejo_secret_key |       ROOT_PASSWORD_FILE: /run/secrets/forgejo_root_password | ||||||
|       - lfs_jwt_secret |  | ||||||
|       - oauth_jwt_secret |  | ||||||
|       - postgres_user_password |  | ||||||
|     env_file: |  | ||||||
|       - ./.secrets/forgejo.env |  | ||||||
|       - ./config/forgejo/forgejo.env |  | ||||||
|     environment:  |  | ||||||
|       USER_UID: 1000 |  | ||||||
|       USER_GID: 1000 |  | ||||||
|  #     FORGEJO__database__NAME: forgejodb |  | ||||||
|   #    FORGEJO__database__USER: forgejo |  | ||||||
|    #   FORGEJO__database__HOST: postgres:5432 |  | ||||||
| #      FORGEJO__database__PASSWD_FILE: /run/secrets/postgres_user_password |  | ||||||
| #      FORGEJO__database__PASSWD: "${FORGEJO__database__PASSWD}" |  | ||||||
|  #     FORGEJO__server__LFS_JWT_SECRET: "${FORGEJO__server__LFS_JWT_SECRET}" |  | ||||||
|   #    FORGEJO__security__SECRET_KEY: "${FORGEJO__security__SECRET_KEY}" |  | ||||||
|    #   FORGEJO__security__INTERNAL_TOKEN: "${FORGEJO__security__INTERNAL_TOKEN}" |  | ||||||
|     #  FORGEJO__oauth2__JWT_SECRET: "${FORGEJO__oauth2__JWT_SECRET}"  |  | ||||||
|       ROOT_PASSWORD_FILE: /run/secrets/forgejo_root_password     |  | ||||||
|     restart: always |     restart: always | ||||||
|     networks: |     networks: | ||||||
|       forgejo: |       forgejo: | ||||||
|         aliases: |         ipv4_address: 172.20.0.5 | ||||||
|           - forgejoever   |  | ||||||
|     volumes: |     volumes: | ||||||
|       - ./data/forgejo:/var/lib/gitea:Z |       - ./data/forgejo:/var/lib/gitea:Z | ||||||
|       - /etc/timezone:/etc/timezone:ro |       - /etc/timezone:/etc/timezone:ro | ||||||
|       - /etc/localtime:/etc/localtime:ro |       - /etc/localtime:/etc/localtime:ro | ||||||
|     ports:  |  | ||||||
|       - "3000:3000" |  | ||||||
|       - "30022:30022" |  | ||||||
|     depends_on: |     depends_on: | ||||||
|       - postgres |       - postgres | ||||||
|   reverse-proxy: |   reverse_proxy: | ||||||
|     image: ghcr.io/nginxinc/nginx-unprivileged:mainline-alpine-slim |     image: ghcr.io/nginxinc/nginx-unprivileged:mainline-alpine-slim | ||||||
|     container_name: reverse_proxy |     container_name: reverse_proxy | ||||||
|     restart: always |     restart: always | ||||||
|     ports: |     ports: | ||||||
|       - "443:8443" |       - "443:8443" | ||||||
|     volumes:  |       - "8444:8444" | ||||||
|  |       - "80:8080" | ||||||
|  |       - "30022:30022" | ||||||
|  |     volumes: | ||||||
|      - ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro |      - ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro | ||||||
|      - ./config/nginx/tls.conf:/etc/nginx/conf.d/tls.conf:ro |      - ./config/nginx/tls.conf:/etc/nginx/conf.d/tls.conf:ro | ||||||
|      - ./data/certs:/etc/nginx/ssl:ro |      - ./data/certs:/etc/nginx/ssl:ro | ||||||
|  |      - /home/static_site/public:/usr/share/nginx/html:ro | ||||||
|     networks: |     networks: | ||||||
|      - forgejo |      - forgejo | ||||||
|      - frontend |      - frontend | ||||||
|  |     depends_on: | ||||||
|  |      forgejo: | ||||||
|  |        condition: service_healthy | ||||||
|  |        restart: true | ||||||
|   acme.sh: |   acme.sh: | ||||||
|     command: |     command: | ||||||
|       - daemon |       - daemon | ||||||
|     container_name: acme.sh |     container_name: acme.sh | ||||||
|     env_file: |     env_file: | ||||||
|       - ./.secrets/acme.env |       - ./.secrets/acme.env | ||||||
| #    environment: |     image: ghcr.io/polarix-containers/acme.sh:latest | ||||||
| #      DEDYN_TOKEN: "${DEDYN_TOKEN}" |  | ||||||
|     image: 'ghcr.io/polarix-containers/acme.sh:latest' |  | ||||||
|     restart: always |     restart: always | ||||||
|     volumes: |     volumes: | ||||||
|       - ./data/acme.sh:/acme.sh:Z |       - ./data/acme.sh:/acme.sh:Z | ||||||
|       - ./data/certs:/certs:z |       - ./data/certs:/certs:z | ||||||
|   postgres: |   postgres: | ||||||
|     container_name: postgres |     container_name: postgres | ||||||
|     image: cgr.dev/chainguard/postgres:latest |     image: ghcr.io/polarix-containers/postgres:16 | ||||||
|     volumes: |     volumes: | ||||||
|       - ./data/postgres:/var/lib/postgresql/data:Z |       - ./data/postgres:/var/lib/postgresql/data:Z | ||||||
|     restart: unless-stopped  |     restart: always | ||||||
|     ports: |  | ||||||
|       - 5432:5432  |  | ||||||
|     env_file: |     env_file: | ||||||
|       - ./.secrets/acme.env |       - ./.secrets/acme.env | ||||||
| #    environment: |  | ||||||
| #      POSTGRES_USER: "forgejo" |  | ||||||
| #      POSTGRES_DB: "forgejodb" |  | ||||||
| #      POSTGRES_PASSWORD: "${POSTGRES_PASSWORD}" |  | ||||||
|     networks: |     networks: | ||||||
|       forgejo: |       forgejo: | ||||||
|         aliases:   |         ipv4_address: 172.20.0.6 | ||||||
|         - db |  | ||||||
| networks: | networks: | ||||||
|   forgejo: |   forgejo: | ||||||
|  |       ipam: | ||||||
|  |         config: | ||||||
|  |           - subnet: 172.20.0.0/24 | ||||||
|       external: false |       external: false | ||||||
|   frontend: |   frontend: | ||||||
|       driver: bridge |       driver: bridge | ||||||
| secrets: |  | ||||||
|   forgejo_internal_token: |  | ||||||
|     file: ./.secrets/forgejo_internal_token |  | ||||||
|   forgejo_root_password: |  | ||||||
|     file: ./.secrets/forgejo_root_password |  | ||||||
|   forgejo_secret_key: |  | ||||||
|     file: ./.secrets/forgejo_secret_key |  | ||||||
|   lfs_jwt_secret: |  | ||||||
|     file: ./.secrets/lfs_jwt_secret |  | ||||||
|   oauth_jwt_secret: |  | ||||||
|     file: ./.secrets/oauth_jwt_secret |  | ||||||
|   postgres_user_password: |  | ||||||
|     file: ./.secrets/postgres_user_password |  | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue
	
	 mustard
						mustard