Need Brains from the self-hosters

usrdef · 1 year ago

Need Brains from the self-hosters

thekrautboy · 1 year ago

Just in case youre curious, here is my complete Gitea stack using MariaDB as db and issue indexer, and Redis for cache, queue and sessions.

Disclaimer: I am neither a Gitea or MariaDB or Redis expert, i know nothing about anything…

version: "3.3"

networks:
  gitea:
    name: gitea
  traefikproxy:
    external: true

services:

  gitea:
    container_name: gitea
    image: gitea/gitea:1.20.5-rootless
    restart: unless-stopped
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefikproxy
      - traefik.http.routers.gitea.rule=Host(`gitea.local.example.com`)
      - traefik.http.services.gitea.loadbalancer.server.port=3000
    networks:
      - gitea
      - traefikproxy
  # ports:
  #   - 7744:3000   # webui
  #   - 2200:22     # ssh    (needs more configuration)
    depends_on:
      gitea-mariadb:
        condition: service_healthy
      gitea-redis:
        condition: service_healthy
    environment:
      - TZ=Europe/Berlin
      - USER_UID=1000
      - USER_GID=1000
      - USER=username
      ### basic settings
      - "GITEA__default__APP_NAME=Gitea"
      - "GITEA__time__DEFAULT_UI_LOCATION=Europe/Berlin"
      - "GITEA__ui__DEFAULT_THEME=arc-green"
      - "GITEA__server__HTTP_PORT=3000"
      - "GITEA__server__OFFLINE_MODE=true"
      - "GITEA__server__ROOT_URL=https://gitea.local.example.com"
      #- "GITEA__server__LOCAL_ROOT_URL=http://localhost:3000/"
      #- "GITEA__server__DOMAIN="
      ### database settings
      - GITEA__database__DB_TYPE=mysql
      - GITEA__database__HOST=gitea-mariadb:3306
      - GITEA__database__NAME=gitea
      - GITEA__database__USER=gitea
      - GITEA__database__PASSWD=gitea
      ### use db as indexer
      - GITEA__indexer__ISSUE_INDEXER_TYPE=db
      ### redis for cache, session and queue
      - GITEA__cache__ENABLED=true
      - GITEA__cache__ADAPTER=redis
      - GITEA__cache__HOST=redis://gitea-redis:6379/0
      - GITEA__session__PROVIDER=redis
      - GITEA__session__PROVIDER_CONFIG=redis://gitea-redis:6379/1
      - GITEA__queue__TYPE=redis
      - GITEA__queue__CONN_STR=redis://gitea-redis:6379/2
      ### mail settings
      - "GITEA__mailer__ENABLED=true"
      - "GITEA__mailer__PROTOCOL=smtp+starttls"
      - "GITEA__mailer__SUBJECT_PREFIX=Gitea: "
      - "GITEA__mailer__FROM=example@gmail.com"
      - "GITEA__mailer__USER=example@gmail.com"
      - "GITEA__mailer__PASSWD=CHANGEME"
      - "GITEA__mailer__SMTP_ADDR=smtp.gmail.com"
      - "GITEA__mailer__SMTP_PORT=587"
      ### secret key and token
      ### generate once with:
      #      docker run -it --rm gitea/gitea:1.20.5-rootless gitea generate secret SECRET_KEY
      #      docker run -it --rm gitea/gitea:1.20.5-rootless gitea generate secret INTERNAL_TOKEN
      - "GITEA__security__SECRET_KEY=CHANGEME"
      - "GITEA__security__INTERNAL_TOKEN=CHANGEME"
    volumes:
      - ./data:/var/lib/gitea
      - ./config:/etc/gitea
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    healthcheck:
      test: "wget --no-verbose --tries=1 --spider --no-check-certificate http://localhost:3000/api/healthz || exit 1"
      start_period: 60s
  # mem_limit: 250m
  # memswap_limit: 250m
  # mem_reservation: 125m
  # cpu_shares: 1024
  # cpus: 1.0


  gitea-mariadb:
    container_name: gitea-mariadb
    image: mariadb:11.1.2
    restart: unless-stopped
    networks:
      - gitea
  # ports:
  #   - 3306:3306
    environment:
      - TZ=Europe/Berlin
      - MYSQL_ROOT_PASSWORD=gitea
      - MYSQL_USER=gitea
      - MYSQL_PASSWORD=gitea
      - MYSQL_DATABASE=gitea
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - ./mariadb:/var/lib/mysql
    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
    healthcheck:
      test: ["CMD-SHELL", "mariadb-admin --user=$${MYSQL_USER} --password=$${MYSQL_PASSWORD} --host=localhost ping"]
      start_period: 60s
  # mem_limit: 400m
  # memswap_limit: 400m
  # mem_reservation: 200m
  # cpus: 0.5


  gitea-redis:
    container_name: gitea-redis
    image: redis:7.2.2-alpine
    restart: unless-stopped
    networks:
      - gitea
  # ports:
  #   - 6379:6379
    volumes:
      - ./redis:/data
  ### run on Docker host and reboot:
  ###    echo "vm.overcommit_memory = 1" | sudo tee /etc/sysctl.d/nextcloud-aio-memory-overcommit.conf
    command: redis-server --save 30 1 --loglevel warning
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
  # mem_limit: 150m
  # memswap_limit: 150m
  # mem_reservation: 25m
  # cpus: 0.5

usrdef · 1 year ago

Oh damn, thanks. I’ll throw this in Obsidian.

Reverse proxy is exactly why I don’t have more things setup in docker. I haven’t quite figured out how it, nginx, and the app work together yet.

I had to setup caddy when I installed vaultwarden, and while that was easy because I had a very good guide to assist me, I would have been completely and totally lost if I had to setup caddy2 on my own.

So I definitely need to sit down one day and just do a full day’s read on reverse proxy, how it works with Docker and its function, and what I can do with it. Because the vaultwarden setup made it no easier to understand.

I wanted to actually move nginx and mysql over to docker, but reverse proxy is also the reason that’s holding me back.

thekrautboy · 1 year ago

If you already have Caddy running on that same Docker host then its very simple to add another proxy target to that through the Caddyfile.

I have been using Traefik for years and i am mostly happy with it but recently spend a day on trying out Caddy together with Authelia for authentication. Here is what came out of it as a very basic example to use them together. Its using a custom Docker image for Caddy that contains a few extra modules but it can easily be replaced with the basic official one, depending on what modules you need (for example, Lets Encrypt with dns01-challenge requires modules for DNS providers). My example uses www.desec.io for that but Cloudflare, DuckDNS etc. are possible too.

docker-compose.yml

version: "3.3"

networks:
  caddy:
    external: true

services:

  caddy:
    container_name: caddy
    image: l33tlamer/caddy-desec:latest
    restart: unless-stopped
    networks:
      - caddy
    ports:
      - 0.0.0.0:80:80/tcp
      - 0.0.0.0:443:443/tcp
      - 0.0.0.0:443:443/udp
    environment:
      - TZ=Europe/Berlin
      - DESEC_TOKEN=CHANGEME
    volumes:
      - ./required/Caddyfile:/etc/caddy/Caddyfile
      - ./config:/config
      - ./data:/data

  authelia:
    container_name: authelia
    image: authelia/authelia:latest
    restart: unless-stopped
    networks:
      - caddy
    ports:
      - 9091:9091
    environment:
      - TZ=Europe/Berlin
    volumes:
      - ./required/configuration.yml:/config/configuration.yml:ro
      - ./required/users_database.yml:/config/users_database.yml:ro
      - ./required/db.sqlite3:/config/db.sqlite3

    ### use pre-defined external Docker network: docker network create caddy
    ### db.sqlite3 needs to exist before first container start, can be created with: touch ./required/db.sqlite3
    ### Caddy config can be quickly reloaded with: docker exec -w /etc/caddy caddy caddy reload
    ### changes to Authelia files require its container to be restarted

required/Caddyfile

{
        debug
        http_port 80
        https_port 443
        email mail@example.com
        # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
        acme_ca https://acme-v02.api.letsencrypt.org/directory
}

*.example.com {
        tls {
                dns desec {
                        token {env.DESEC_TOKEN}
                }
                propagation_timeout -1
        }

        @authelia host auth.example.com
        handle @authelia {
                forward_auth authelia:9091 {
                        uri /api/verify?rd=https://auth.example.com
                        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                }
                reverse_proxy authelia:9091
        }

        ### example of a basic site entry
        @matomo host matomo.example.com
        handle @matomo {
                forward_auth authelia:9091 {
                        uri /api/verify?rd=https://auth.example.com
                        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                }
                reverse_proxy matomo:8080
        }

        ### example of a site entry when target is HTTPS
        @proxmox host proxmox.example.com
        handle @proxmox {
                forward_auth authelia:9091 {
                        uri /api/verify?rd=https://auth.example.com
                        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                }
                reverse_proxy 192.168.50.75:8006 {
                        transport http {
                                tls_insecure_skip_verify
                        }
                }
        }

        ### Fallback for otherwise unhandled domains
        handle {
                abort
        }

}

required/configuration.yml

# yamllint disable rule:comments-indentation
---
theme: grey

# generate with: openssl rand -hex 32
jwt_secret: CHANGEME

default_redirection_url: https://www.google.com/

default_2fa_method: ""

server:
  host: 0.0.0.0
  port: 9091
  path: ""
# asset_path: /config/assets/
  enable_pprof: false
  enable_expvars: false
  disable_healthcheck: false
  tls:
    key: ""
    certificate: ""
    client_certificates: []
  headers:
    csp_template: ""

log:
  level: debug

telemetry:
  metrics:
    enabled: false
    address: tcp://0.0.0.0:9959

totp:
  disable: false
  issuer: Authelia
  algorithm: sha1
  digits: 6
  period: 30
  skew: 1
  secret_size: 32

webauthn:
  disable: false
  timeout: 60s
  display_name: Authelia
  attestation_conveyance_preference: indirect
  user_verification: preferred

ntp:
  address: "time.cloudflare.com:123"
  version: 4
  max_desync: 3s
  disable_startup_check: false
  disable_failure: false

authentication_backend:
  password_reset:
    disable: false
    custom_url: ""
  refresh_interval: 1m

  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 1
      key_length: 32
      salt_length: 16
      memory: 1024
      parallelism: 8

password_policy:
  standard:
    enabled: false
    min_length: 8
    max_length: 0
    require_uppercase: true
    require_lowercase: true
    require_number: true
    require_special: true
  zxcvbn:
    enabled: false
    min_score: 3

access_control:
  default_policy: deny
  rules:
    # authelia itself gets bypass
    - domain:
        - "auth.example.com"
      policy: bypass
    # list all your protected subdomains like this
    - domain: "matomo.example.com"
      policy: one_factor
    - domain: "proxmox.example.com"
      policy: one_factor

session:
  name: authelia_session
  domain: example.com
  same_site: lax
  # generate with: openssl rand -hex 32
  secret: CHANGEME
  expiration: 3h
  inactivity: 15m
  remember_me_duration: 1M

regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 12h

storage:
  local:
    path: /config/db.sqlite3
  # generate with: openssl rand -hex 32
  encryption_key: CHANGEME

notifier:
  disable_startup_check: false
  filesystem:
    filename: /config/notification.txt

required/users_database.yml

users:

  admin:
    displayname: "Admin"
    # generate encoded password with for example https://argon2.online/
    # settings: argon2id, random salt, parallelism=8, memorycost=1024, iterations=1, hashlength=32
    # this example password = admin
    password: "$argon2id$v=19$m=1024,t=1,p=8$WnZGOU03d1lnMFRuYzZVQw$V+pcZ9KqXmsSZGuhzrv75ZPy5VQi9rfrWZnFKlJxTcI"
    email: email@example.com
    groups:
      - admins