-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathdocker-compose.instance.yaml
75 lines (65 loc) · 4.18 KB
/
docker-compose.instance.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#! This is a ytt template file for docker-compose.override.yaml
#! References:
#! https://carvel.dev/ytt
#! https://docs.docker.com/compose/extends/#adding-and-overriding-configuration
#! https://github.com/enigmacurry/d.rymcg.tech#overriding-docker-composeyaml-per-instance
#! ### Standard project vars:
#@ load("@ytt:data", "data")
#@ project = data.values.project
#@ instance = data.values.instance
#@ context = data.values.context
#@ traefik_host = data.values.traefik_host
#@ ip_sourcerange = data.values.ip_sourcerange
#@ enable_mtls_auth = data.values.enable_mtls_auth == "true"
#@ mtls_authorized_certs = data.values.mtls_authorized_certs
#@ enabled_middlewares = []
#@yaml/text-templated-strings
services:
forgejo:
#@ service = "forgejo"
labels:
- "backup-volume.stop-during-backup=true"
#! Services must opt-in to be proxied by Traefik:
- "traefik.enable=true"
#! 'router' is the fully qualified key in traefik for this router/service: project + instance + service
#@ router = "{}-{}-{}".format(project,instance,service)
#! The host matching router rule:
- "traefik.http.routers.(@= router @).rule=Host(`(@= traefik_host @)`)"
- "traefik.http.routers.(@= router @).entrypoints=websecure"
#! SSH
- "traefik.tcp.routers.(@= router @)-ssh.rule=HostSNI(`*`)"
- "traefik.tcp.routers.(@= router @)-ssh.entrypoints=ssh"
- "traefik.tcp.routers.(@= router @)-ssh.service=(@= router @)-ssh"
- "traefik.tcp.services.(@= router @)-ssh.loadbalancer.server.port=22"
#@ enabled_middlewares.append("{}-ipallowlist".format(router))
- "traefik.http.middlewares.(@= router @)-ipallowlist.ipallowlist.sourcerange=(@= ip_sourcerange @)"
#! Override the default port that forgejo binds to, so that it lives in userspace >1024:
#! You don't normally need to do this, as long as your image has
#! an EXPOSE directive in it, Traefik will autodetect it, but this is how you can override it:
- "traefik.http.services.(@= router @).loadbalancer.server.port=3000"
#! Logout phase 1 (deletes 'gitea_incredible' cookie):
- "traefik.http.routers.(@= router @)-logout1.rule=Host(`(@= traefik_host @)`) && Path(`/logout`)"
- "traefik.http.routers.(@= router @)-logout1.entrypoints=websecure"
- "traefik.http.middlewares.(@= router @)-logout1.headers.customresponseheaders.Set-Cookie=gitea_incredible=deleted; Max-Age=0"
- "traefik.http.middlewares.(@= router @)-logout-redirect1.redirectregex.regex=.*"
- "traefik.http.middlewares.(@= router @)-logout-redirect1.redirectregex.replacement=https://(@= traefik_host @)/logout2"
- "traefik.http.routers.(@= router @)-logout1.middlewares=(@= router @)-ipallowlist,(@= router @)-logout1,(@= router @)-logout-redirect1"
#! Logout phase 2 (deletes 'i_like_gitea' cookie):
- "traefik.http.routers.(@= router @)-logout2.rule=Host(`(@= traefik_host @)`) && Path(`/logout2`)"
- "traefik.http.routers.(@= router @)-logout2.entrypoints=websecure"
- "traefik.http.middlewares.(@= router @)-logout2.headers.customresponseheaders.Set-Cookie=i_like_gitea=deleted; Max-Age=0"
- "traefik.http.middlewares.(@= router @)-logout-redirect2.redirectregex.regex=.*"
- "traefik.http.middlewares.(@= router @)-logout-redirect2.redirectregex.replacement=https://(@= traefik_host @)/user/login"
- "traefik.http.routers.(@= router @)-logout2.middlewares=(@= router @)-ipallowlist,(@= router @)-logout2,(@= router @)-logout-redirect2"
#@ if enable_mtls_auth:
- "traefik.http.routers.(@= router @).tls.options=step_ca_mTLS@file"
- "traefik.http.routers.(@= router @)-logout1.tls.options=step_ca_mTLS@file"
- "traefik.http.routers.(@= router @)-logout2.tls.options=step_ca_mTLS@file"
#@ if len(mtls_authorized_certs):
- "traefik.http.middlewares.mtlsauth-(@= router @).plugin.certauthz.domains=(@= mtls_authorized_certs @)"
#@ enabled_middlewares.append("mtlsauth-{}".format(router))
#@ end
#@ enabled_middlewares.append("mtls-header@file")
#@ end
#! Apply all middlewares (do this at the end!)
- "traefik.http.routers.(@= router @).middlewares=(@= ','.join(enabled_middlewares) @)"