.

2020-05-01 23:07:26 +01:00 · 2020-05-01 23:07:26 +01:00 · 676611abbf
parent 40aa95d2a9
commit 676611abbf
6 changed files with 120 additions and 15 deletions
--- a/docker-compose-registry.yml
+++ b/docker-compose-registry.yml
@ -0,0 +1,43 @@
+version: "3.7"
+services:
+  letsencrypt-registry:
+    deploy:
+      placement:
+        constraints: [node.labels.com.sigyl.git-stack == yes]
+      replicas: 0
+      restart_policy:
+        condition: any
+    image: ${LOCAL_DOCKER_REGISTRY}letsencrypt-git
+    environment:
+      - CERTBOT_EMAIL=${CERTBOT_EMAIL}
+      - SERVER_NAME=${GIT_DOMAIN}
+      - REGISTRY_PROXY_PASS=http://registry:5000
+    volumes:
+      - letsencrypt-registry:/etc/letsencrypt
+    networks:
+      - appnet
+    ports:
+      - 5004:5004
+  registry:
+    # internal registry #1 (why?)
+    deploy:
+      placement:
+        constraints: [node.labels.com.sigyl.git-stack == yes]
+      replicas: 1
+      restart_policy:
+        condition: any
+    image: registry:2
+    volumes:
+      - registry-data:/var/lib/registry
+    environment:
+      - REGISTRY_HTTP_ADDR=0.0.0.0:5000
+    networks:
+      - appnet
+volumes:
+  registry-data:
+  letsencrypt-nginx:
+
+networks:
+  appnet:
+    driver: overlay
+    #external: true
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -35,8 +35,6 @@ services:
      - letsencrypt-git:/etc/letsencrypt
    networks:
      - appnet
-    depends_on:
-      - gitea
    ports:
      - 80:80
      - 443:443
@ -59,8 +57,6 @@ services:
      - letsencrypt-drone:/etc/letsencrypt
    networks:
      - appnet
-    depends_on:
-      - drone-server
  gitea:
    # gitea application
    deploy:
@ -111,8 +107,6 @@ services:
      - BLOG_DOMAIN=${BLOG_DOMAIN}
      - CHAT_DOMAIN=${CHAT_DOMAIN}
      - NGROK_AUTH_TOKEN=${NGROK_AUTH_TOKEN}
-    depends_on:
-      - gitea
    networks:
      - appnet
  drone-server:
@ -127,8 +121,6 @@ services:
    volumes:
      - drone:/var/lib/drone
      - drone-data:/data
-    depends_on:
-      - gitea
    environment:
      - DRONE_LOGS_DEBUG=true
      - DRONE_LOGS_PRETTY=true
@ -155,8 +147,6 @@ services:
      restart_policy:
        condition: any
    image: drone/drone-runner-docker:1
-    depends_on:
-      - drone-server
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
@ -363,8 +353,6 @@ services:
      - appnet
  portainer-agent:
    image: portainer/agent:1.5.1
-    depends_on:
-      - portainer
    environment:
      # REQUIRED: Should be equal to the service name prefixed by "tasks." when
      # deployed inside an overlay network
--- a/drone-starlark/repos/stack/drone.star
+++ b/drone-starlark/repos/stack/drone.star
@ -56,6 +56,13 @@ def drone(
            "letsencrypt-nginx",
            "drone",
          ),
+          buildDockerFolder(
+            "Dockerfile.registry",
+            "$${LOCAL_DOCKER_REGISTRY}letsencrypt-nginx",
+            "$${LOCAL_DOCKER_REGISTRY}letsencrypt-registry",
+            "letsencrypt-nginx",
+            "registry",
+          ),
          scp(base),
          pull(
            "pull images",
@ -69,6 +76,12 @@ def drone(
              "guacamole-postgresql",
            ],
          ),
+          pull(
+            "pull registry",
+            [
+              "letsencrypt-registry",
+            ],
+          ),
          deploy(
            "docker-compose.yml",
            name,
@ -77,6 +90,14 @@ def drone(
            commands,
            ctx
          ),
+          deploy(
+            "docker-compose-registry.yml",
+            'registry',
+            base,
+            publicSecrets + secretSecrets,
+            commands,
+            ctx
+          ),
        ],
        [],
        [
--- a/letsencrypt-nginx/Dockerfile.git
+++ b/letsencrypt-nginx/Dockerfile.git
@ -1,6 +1,3 @@
 ARG image
 FROM $image
-COPY website /www/data
 COPY ./conf/git.conf /etc/nginx/user.conf.d/server._conf
-COPY git.sh /
-CMD sh /git.sh
--- a/letsencrypt-nginx/Dockerfile.registry
+++ b/letsencrypt-nginx/Dockerfile.registry
@ -0,0 +1,3 @@
+ARG image
+FROM $image
+COPY ./conf/registry.conf /etc/nginx/user.conf.d/server._conf
--- a/letsencrypt-nginx/conf/registry.conf
+++ b/letsencrypt-nginx/conf/registry.conf
@ -0,0 +1,53 @@
+        ## Set a variable to help us decide if we need to add the
+        ## 'Docker-Distribution-Api-Version' header.
+        ## The registry always sets this header.
+        ## In the case of nginx performing auth, the header is unset
+        ## since nginx is auth-ing before proxying.
+        map ${DOLLAR}upstream_http_docker_distribution_api_version ${DOLLAR}docker_distribution_api_version {
+             '' 'registry/2.0';
+        }
+
+    server {
+        # resolver 127.0.0.11 valid=30s; ## internal docker dns
+        #listen   [::]:3011 default ipv6only=on; ## listen for ipv6
+        # listen 444
+        listen 5004 ssl;
+                # this should allow large docs
+        client_header_timeout 120s;
+                client_body_timeout 120s;
+                client_max_body_size 0;
+        ssl_certificate     /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem;
+        # save logs here
+        #access_log /var/log/nginx/access.log compression;
+
+
+        # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+        ssl_protocols TLSv1.1 TLSv1.2;
+        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+
+        # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+        chunked_transfer_encoding on;
+
+        server_name ${SERVER_NAME};
+
+
+        location /v2/ {
+            # Do not allow connections from docker 1.5 and earlier
+                # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
+                if (${DOLLAR}http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
+                     return 404;
+                }
+                add_header 'Docker-Distribution-Api-Version' ${DOLLAR}docker_distribution_api_version always;
+
+                proxy_set_header Host ${DOLLAR}http_host;
+                proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+                proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
+                proxy_buffering off;
+                proxy_pass ${REGISTRY_PROXY_PASS};
+
+        }
+    }