diff --git a/docker-compose-registry.yml b/docker-compose-registry.yml new file mode 100644 index 0000000..544ae35 --- /dev/null +++ b/docker-compose-registry.yml @@ -0,0 +1,43 @@ +version: "3.7" +services: + letsencrypt-registry: + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack == yes] + replicas: 0 + restart_policy: + condition: any + image: ${LOCAL_DOCKER_REGISTRY}letsencrypt-git + environment: + - CERTBOT_EMAIL=${CERTBOT_EMAIL} + - SERVER_NAME=${GIT_DOMAIN} + - REGISTRY_PROXY_PASS=http://registry:5000 + volumes: + - letsencrypt-registry:/etc/letsencrypt + networks: + - appnet + ports: + - 5004:5004 + registry: + # internal registry #1 (why?) + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack == yes] + replicas: 1 + restart_policy: + condition: any + image: registry:2 + volumes: + - registry-data:/var/lib/registry + environment: + - REGISTRY_HTTP_ADDR=0.0.0.0:5000 + networks: + - appnet +volumes: + registry-data: + letsencrypt-nginx: + +networks: + appnet: + driver: overlay + #external: true diff --git a/docker-compose.yml b/docker-compose.yml index a28a09f..fb591a4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -35,8 +35,6 @@ services: - letsencrypt-git:/etc/letsencrypt networks: - appnet - depends_on: - - gitea ports: - 80:80 - 443:443 @@ -59,8 +57,6 @@ services: - letsencrypt-drone:/etc/letsencrypt networks: - appnet - depends_on: - - drone-server gitea: # gitea application deploy: @@ -111,8 +107,6 @@ services: - BLOG_DOMAIN=${BLOG_DOMAIN} - CHAT_DOMAIN=${CHAT_DOMAIN} - NGROK_AUTH_TOKEN=${NGROK_AUTH_TOKEN} - depends_on: - - gitea networks: - appnet drone-server: @@ -127,8 +121,6 @@ services: volumes: - drone:/var/lib/drone - drone-data:/data - depends_on: - - gitea environment: - DRONE_LOGS_DEBUG=true - DRONE_LOGS_PRETTY=true @@ -155,8 +147,6 @@ services: restart_policy: condition: any image: drone/drone-runner-docker:1 - depends_on: - - drone-server volumes: - /var/run/docker.sock:/var/run/docker.sock environment: @@ -363,8 +353,6 @@ services: - appnet portainer-agent: image: portainer/agent:1.5.1 - depends_on: - - portainer environment: # REQUIRED: Should be equal to the service name prefixed by "tasks." when # deployed inside an overlay network diff --git a/drone-starlark/repos/stack/drone.star b/drone-starlark/repos/stack/drone.star index 6cd6230..ad39450 100644 --- a/drone-starlark/repos/stack/drone.star +++ b/drone-starlark/repos/stack/drone.star @@ -56,6 +56,13 @@ def drone( "letsencrypt-nginx", "drone", ), + buildDockerFolder( + "Dockerfile.registry", + "$${LOCAL_DOCKER_REGISTRY}letsencrypt-nginx", + "$${LOCAL_DOCKER_REGISTRY}letsencrypt-registry", + "letsencrypt-nginx", + "registry", + ), scp(base), pull( "pull images", @@ -69,6 +76,12 @@ def drone( "guacamole-postgresql", ], ), + pull( + "pull registry", + [ + "letsencrypt-registry", + ], + ), deploy( "docker-compose.yml", name, @@ -77,6 +90,14 @@ def drone( commands, ctx ), + deploy( + "docker-compose-registry.yml", + 'registry', + base, + publicSecrets + secretSecrets, + commands, + ctx + ), ], [], [ diff --git a/letsencrypt-nginx/Dockerfile.git b/letsencrypt-nginx/Dockerfile.git index d9078a8..c42b145 100644 --- a/letsencrypt-nginx/Dockerfile.git +++ b/letsencrypt-nginx/Dockerfile.git @@ -1,6 +1,3 @@ ARG image FROM $image -COPY website /www/data COPY ./conf/git.conf /etc/nginx/user.conf.d/server._conf -COPY git.sh / -CMD sh /git.sh \ No newline at end of file diff --git a/letsencrypt-nginx/Dockerfile.registry b/letsencrypt-nginx/Dockerfile.registry new file mode 100644 index 0000000..451db78 --- /dev/null +++ b/letsencrypt-nginx/Dockerfile.registry @@ -0,0 +1,3 @@ +ARG image +FROM $image +COPY ./conf/registry.conf /etc/nginx/user.conf.d/server._conf diff --git a/letsencrypt-nginx/conf/registry.conf b/letsencrypt-nginx/conf/registry.conf new file mode 100644 index 0000000..64dd077 --- /dev/null +++ b/letsencrypt-nginx/conf/registry.conf @@ -0,0 +1,53 @@ + ## Set a variable to help us decide if we need to add the + ## 'Docker-Distribution-Api-Version' header. + ## The registry always sets this header. + ## In the case of nginx performing auth, the header is unset + ## since nginx is auth-ing before proxying. + map ${DOLLAR}upstream_http_docker_distribution_api_version ${DOLLAR}docker_distribution_api_version { + '' 'registry/2.0'; + } + + server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + # listen 444 + listen 5004 ssl; + # this should allow large docs + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 0; + ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; + # save logs here + #access_log /var/log/nginx/access.log compression; + + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) + chunked_transfer_encoding on; + + server_name ${SERVER_NAME}; + + + location /v2/ { + # Do not allow connections from docker 1.5 and earlier + # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents + if (${DOLLAR}http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { + return 404; + } + add_header 'Docker-Distribution-Api-Version' ${DOLLAR}docker_distribution_api_version always; + + proxy_set_header Host ${DOLLAR}http_host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; + proxy_buffering off; + proxy_pass ${REGISTRY_PROXY_PASS}; + + } + }