From 23903d003ddbaa97147eb77f97de72fd355b2ef9 Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Mon, 5 Jun 2023 14:57:29 +0200 Subject: [PATCH 1/4] Move storage locations to {VOLUME_PATH}/{COMPOSE_STACK_NAME}/{SERVICE_NAME} schema --- firefoxsync/docker-compose.yaml | 6 +++--- monitoring/docker-compose.yaml | 6 +++--- nextcloud/docker-compose.yaml | 20 ++++++++++---------- proxy/docker-compose.yaml | 2 +- wallabag/docker-compose.yaml | 4 ++-- 5 files changed, 19 insertions(+), 19 deletions(-) diff --git a/firefoxsync/docker-compose.yaml b/firefoxsync/docker-compose.yaml index dc5aba5..83e6f07 100644 --- a/firefoxsync/docker-compose.yaml +++ b/firefoxsync/docker-compose.yaml @@ -3,7 +3,7 @@ services: syncserver: image: mozilla/syncserver:latest volumes: - - ${VOLUMES_PATH}/firefoxsync_syncserver:/data + - ${VOLUMES_PATH}/firefoxsync/syncserver:/data user: ${UID}:${GID} networks: - web @@ -23,7 +23,7 @@ services: - SYNCSERVER_SQLURI=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db/${POSTGRES_DB} - SYNCSERVER_BATCH_UPLOAD_ENABLED=true - SYNCSERVER_FORCE_WSGI_ENVIRON=true - - SYNCSERVER_DEBUG_ENABLED=true + - SYNCSERVER_DEBUG_ENABLED=false - SYNCSERVER_ALLOW_NEW_USER=true - PORT=5000 @@ -38,7 +38,7 @@ services: networks: - firefoxsync volumes: - - ${VOLUMES_PATH}/firefoxsync_db:/var/lib/postgresql/data + - ${VOLUMES_PATH}/firefoxsync/db:/var/lib/postgresql/data user: ${UID}:${GID} labels: - "docker.group=firefoxsync" diff --git a/monitoring/docker-compose.yaml b/monitoring/docker-compose.yaml index 4e428a3..0ec41ff 100644 --- a/monitoring/docker-compose.yaml +++ b/monitoring/docker-compose.yaml @@ -39,7 +39,7 @@ services: grafanadb: image: postgres:${POSTGRES_VERSION} volumes: - - ${VOLUMES_PATH}/grafanadb:/var/lib/postgresql/data + - ${VOLUMES_PATH}/monitoring/grafanadb:/var/lib/postgresql/data networks: - grafana restart: unless-stopped @@ -61,7 +61,7 @@ services: environment: - INFLUXDB_MONITOR_STORE_ENABLED=false volumes: - - ${VOLUMES_PATH}/influxdb/:/var/lib/influxdb + - ${VOLUMES_PATH}/monitoring/influxdb/:/var/lib/influxdb - ${PWD}/influxdb.conf:/etc/influxdb/influxdb.conf:ro labels: - "traefik.enable=true" @@ -84,7 +84,7 @@ services: - web # also used to get traefik metrics volumes: - ./prometheus.yml:/etc/prometheus/prometheus.yml - - ${VOLUMES_PATH}/prometheus:/prometheus + - ${VOLUMES_PATH}/monitoring/prometheus:/prometheus labels: - "docker.group=monitoring" diff --git a/nextcloud/docker-compose.yaml b/nextcloud/docker-compose.yaml index 679ea49..cf0daff 100644 --- a/nextcloud/docker-compose.yaml +++ b/nextcloud/docker-compose.yaml @@ -5,7 +5,7 @@ services: depends_on: - app volumes: - - ${VOLUMES_PATH}/nextcloud_html:/var/www/html:ro + - ${VOLUMES_PATH}/nextcloud/html:/var/www/html:ro - $PWD/nginx.conf:/etc/nginx/nginx.conf:ro restart: unless-stopped networks: @@ -34,8 +34,8 @@ services: args: - NC_MAIN_VERSION=${NC_MAIN_VERSION} volumes: - - ${VOLUMES_PATH}/nextcloud_html:/var/www/html - - ${VOLUMES_PATH}/nextcloud_data:/var/www/html/data + - ${VOLUMES_PATH}/nextcloud/html:/var/www/html + - ${VOLUMES_PATH}/nextcloud/data:/var/www/html/data - type: tmpfs target: /tmp restart: unless-stopped @@ -66,8 +66,8 @@ services: networks: - nextcloud volumes: - - ${VOLUMES_PATH}/nextcloud_html:/var/www/html - - ${VOLUMES_PATH}/nextcloud_data:/var/www/html/data + - ${VOLUMES_PATH}/nextcloud/html:/var/www/html + - ${VOLUMES_PATH}/nextcloud/data:/var/www/html/data # If I mount my crontab into the container crond is not working any more :( # docker log should print 11110001 lines # https://github.com/nextcloud/docker/issues/1775 @@ -91,8 +91,8 @@ services: - web - nextcloud volumes: - - ${VOLUMES_PATH}/nextcloud_html:/var/www/html:ro - - ${VOLUMES_PATH}/nextcloud_data:/var/www/html/data:ro + - ${VOLUMES_PATH}/nextcloud/html:/var/www/html:ro + - ${VOLUMES_PATH}/nextcloud/data:/var/www/html/data:ro environment: - PORT=7867 - NEXTCLOUD_URL=http://web @@ -113,7 +113,7 @@ services: image: mariadb:10 command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --skip-innodb-read-only-compressed volumes: - - ${VOLUMES_PATH}/nextcloud_db:/var/lib/mysql + - ${VOLUMES_PATH}/nextcloud/db:/var/lib/mysql restart: unless-stopped environment: - PUID=1000 @@ -165,7 +165,7 @@ services: - nextcloud - monitoring volumes: - - ${VOLUMES_PATH}/nextcloud_redis:/data + - ${VOLUMES_PATH}/nextcloud/redis:/data labels: - "docker.group=netxtcloud" @@ -205,7 +205,7 @@ services: networks: - nextcloud volumes: - - ${VOLUMES_PATH}/nextcloud_fonts:/usr/share/fonts/drawio + - ${VOLUMES_PATH}/nextcloud/fonts:/usr/share/fonts/drawio restart: unless-stopped labels: - "docker.group=netxtcloud" diff --git a/proxy/docker-compose.yaml b/proxy/docker-compose.yaml index d71e93a..b0ea9d2 100755 --- a/proxy/docker-compose.yaml +++ b/proxy/docker-compose.yaml @@ -40,7 +40,7 @@ services: - web - dockersocket volumes: - - ${VOLUMES_PATH}/letsencrypt:/letsencrypt + - ${VOLUMES_PATH}/proxy/letsencrypt:/letsencrypt - $PWD/tls.toml:/etc/traefik/tls.toml labels: - "traefik.enable=true" diff --git a/wallabag/docker-compose.yaml b/wallabag/docker-compose.yaml index fa68e6e..693087d 100644 --- a/wallabag/docker-compose.yaml +++ b/wallabag/docker-compose.yaml @@ -20,7 +20,7 @@ services: - web - wallabag volumes: - - /var/dockervolumes/wallabag_images:/var/www/wallabag/web/assets/images + - /var/dockervolumes/wallabag/images:/var/www/wallabag/web/assets/images labels: - "traefik.enable=true" - "traefik.http.routers.wallabag.rule=Host(`wallabag.${DOMAIN}`)" @@ -40,7 +40,7 @@ services: networks: - wallabag volumes: - - /var/dockervolumes/wallabag_db:/var/lib/mysql + - /var/dockervolumes/wallabag/db:/var/lib/mysql labels: - "docker.group=wallabag" From 063ff194e26e9e5e8fecf1de69fe939af0010b21 Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Mon, 5 Jun 2023 14:59:16 +0200 Subject: [PATCH 2/4] Gitea -> git with Forgejoe --- start-all.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/start-all.sh b/start-all.sh index b8ab461..3bb9ce4 100755 --- a/start-all.sh +++ b/start-all.sh @@ -7,7 +7,7 @@ function up { up proxy --scale whoami=3; up monitoring; up nextcloud; -up gitea; +up git; up wallabag; up www; up firefoxsync; From 0520815da132f8e697e33b9065522075a61f3d45 Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Fri, 9 Jun 2023 08:58:54 +0200 Subject: [PATCH 3/4] Added a view healthchecks --- firefoxsync/docker-compose.yaml | 4 ++++ git/docker-compose.yaml | 32 ++++++++++++++++++++------------ monitoring/docker-compose.yaml | 4 ++++ nextcloud/docker-compose.yaml | 13 +++++++++++++ nextcloud/nginx.conf | 5 ++++- proxy/docker-compose.yaml | 13 +++++++++++-- wallabag/docker-compose.yaml | 16 +++++++++++++++- www/docker-compose.yaml | 4 ++++ 8 files changed, 75 insertions(+), 16 deletions(-) diff --git a/firefoxsync/docker-compose.yaml b/firefoxsync/docker-compose.yaml index 83e6f07..7fb5c27 100644 --- a/firefoxsync/docker-compose.yaml +++ b/firefoxsync/docker-compose.yaml @@ -40,6 +40,10 @@ services: volumes: - ${VOLUMES_PATH}/firefoxsync/db:/var/lib/postgresql/data user: ${UID}:${GID} + healthcheck: + test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"] + interval: 10s + timeout: 5s labels: - "docker.group=firefoxsync" diff --git a/git/docker-compose.yaml b/git/docker-compose.yaml index 1c24a2c..a969f8e 100644 --- a/git/docker-compose.yaml +++ b/git/docker-compose.yaml @@ -11,18 +11,6 @@ services: networks: - web - git - labels: - - "traefik.enable=true" - - "traefik.http.routers.forgejo.rule=Host(`gitea.${DOMAIN}`, `git.${DOMAIN}`)" - - "traefik.http.routers.forgejo.entrypoints=websecure" - - "traefik.http.routers.forgejo.tls.certresolver=netcup" - - "traefik.http.routers.forgejo.tls.options=intermediate@file" - - "traefik.http.routers.forgejo.middlewares=gitearedir" - - "traefik.http.middlewares.gitearedir.redirectregex.regex=^https://gitea.${DOMAIN}/(.*)" - - "traefik.http.middlewares.gitearedir.redirectregex.replacement=https://git.${DOMAIN}/$${1}" - - "traefik.http.middlewares.gitearedir.redirectregex.permanent=true" - - "traefik.http.services.forgejo.loadbalancer.server.port=3000" - - "docker.group=git" depends_on: - db restart: unless-stopped @@ -35,6 +23,22 @@ services: - DB_NAME=${POSTGRES_DB} - DB_USER=${POSTGRES_USER} - DB_PASSWD=${POSTGRES_PASSWORD} + healthcheck: + test: ["CMD", "curl" ,"--fail", "localhost:3000/api/healthz"] + interval: 5s + timeout: 3s + labels: + - "traefik.enable=true" + - "traefik.http.routers.forgejo.rule=Host(`gitea.${DOMAIN}`, `git.${DOMAIN}`)" + - "traefik.http.routers.forgejo.entrypoints=websecure" + - "traefik.http.routers.forgejo.tls.certresolver=netcup" + - "traefik.http.routers.forgejo.tls.options=intermediate@file" + - "traefik.http.routers.forgejo.middlewares=gitearedir" + - "traefik.http.middlewares.gitearedir.redirectregex.regex=^https://gitea.${DOMAIN}/(.*)" + - "traefik.http.middlewares.gitearedir.redirectregex.replacement=https://git.${DOMAIN}/$${1}" + - "traefik.http.middlewares.gitearedir.redirectregex.permanent=true" + - "traefik.http.services.forgejo.loadbalancer.server.port=3000" + - "docker.group=git" db: @@ -48,6 +52,10 @@ services: - git volumes: - ${VOLUMES_PATH}/git/forgejo_db:/var/lib/postgresql/data + healthcheck: + test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"] + interval: 10s + timeout: 5s labels: - "docker.group=git" diff --git a/monitoring/docker-compose.yaml b/monitoring/docker-compose.yaml index 0ec41ff..c0c45c5 100644 --- a/monitoring/docker-compose.yaml +++ b/monitoring/docker-compose.yaml @@ -47,6 +47,10 @@ services: - POSTGRES_DB=grafana - POSTGRES_USER=${POSTGRES_USER} - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + healthcheck: + test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"] + interval: 10s + timeout: 5s labels: - "docker.group=monitoring" diff --git a/nextcloud/docker-compose.yaml b/nextcloud/docker-compose.yaml index cf0daff..95c8f20 100644 --- a/nextcloud/docker-compose.yaml +++ b/nextcloud/docker-compose.yaml @@ -11,6 +11,10 @@ services: networks: - web - nextcloud + healthcheck: + test: curl -sSf 'http://localhost/status.php' | grep '"installed":true' | grep '"maintenance":false' | grep '"needsDbUpgrade":false' || exit 1 + interval: 5s + timeout: 3s labels: - "traefik.enable=true" - "traefik.http.routers.nextcloud.rule=Host(`cloud.${DOMAIN}`)" @@ -123,6 +127,7 @@ services: - MYSQL_PASSWORD=${MYSQL_PASSWORD} - MYSQL_DATABASE=${MYSQL_DATABASE} - MYSQL_USER=${MYSQL_USER} + - MARIADB_AUTO_UPGRADE=1 logging: driver: "json-file" options: @@ -131,6 +136,10 @@ services: networks: - nextcloud - mariadb + healthcheck: + test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"] + interval: 20s + timeout: 3s labels: - "docker.group=netxtcloud" @@ -166,6 +175,10 @@ services: - monitoring volumes: - ${VOLUMES_PATH}/nextcloud/redis:/data + healthcheck: + test: ["CMD", "redis-cli", "ping"] + interval: 5s + timeout: 3s labels: - "docker.group=netxtcloud" diff --git a/nextcloud/nginx.conf b/nextcloud/nginx.conf index 6ffd511..59f3d77 100644 --- a/nextcloud/nginx.conf +++ b/nextcloud/nginx.conf @@ -22,6 +22,9 @@ http { sendfile on; #tcp_nopush on; + # Prevent nginx HTTP Server Detection + server_tokens off; + keepalive_timeout 65; #gzip on; @@ -48,7 +51,7 @@ http { add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak diff --git a/proxy/docker-compose.yaml b/proxy/docker-compose.yaml index b0ea9d2..4fe6cd3 100755 --- a/proxy/docker-compose.yaml +++ b/proxy/docker-compose.yaml @@ -18,6 +18,7 @@ services: #- "--log.level=DEBUG" - "--log.level=INFO" #- "--accesslog=true" + - "--ping=true" - "--entrypoints.web.address=:80" - "--entrypoints.web.http.redirections.entrypoint.to=websecure" - "--entrypoints.web.http.redirections.entrypoint.scheme=https" @@ -42,6 +43,10 @@ services: volumes: - ${VOLUMES_PATH}/proxy/letsencrypt:/letsencrypt - $PWD/tls.toml:/etc/traefik/tls.toml + healthcheck: + test: traefik healthcheck --ping + interval: 3s + timeout: 1s labels: - "traefik.enable=true" - "traefik.http.routers.dashboard.rule=Host(`traefik.${DOMAIN}`)" @@ -63,14 +68,18 @@ services: environment: # grant privileges as environment variables: https://github.com/Tecnativa/docker-socket-proxy#grant-or-revoke-access-to-certain-api-sections - CONTAINERS=1 - - INFO=1 + - INFO=1 networks: - dockersocket + healthcheck: + test: ["CMD", "wget" ,"--no-verbose", "--tries=1", "--spider", "http://localhost:2375/version"] + interval: 10s + timeout: 3s privileged: true whoami: - image: containous/whoami + image: traefik/whoami networks: - web labels: diff --git a/wallabag/docker-compose.yaml b/wallabag/docker-compose.yaml index 693087d..6433ff3 100644 --- a/wallabag/docker-compose.yaml +++ b/wallabag/docker-compose.yaml @@ -21,6 +21,10 @@ services: - wallabag volumes: - /var/dockervolumes/wallabag/images:/var/www/wallabag/web/assets/images + healthcheck: + test: ["CMD", "wget" ,"--no-verbose", "--tries=1", "--spider", "http://localhost"] + interval: 10s + timeout: 3s labels: - "traefik.enable=true" - "traefik.http.routers.wallabag.rule=Host(`wallabag.${DOMAIN}`)" @@ -41,14 +45,24 @@ services: - wallabag volumes: - /var/dockervolumes/wallabag/db:/var/lib/mysql + healthcheck: + test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"] + interval: 10s + timeout: 3s labels: - "docker.group=wallabag" redis: - image: redis:alpine + image: redis restart: unless-stopped networks: - wallabag + healthcheck: + test: ["CMD", "redis-cli", "ping"] + interval: 5s + timeout: 3s + labels: + - "docker.group=wallabag" networks: diff --git a/www/docker-compose.yaml b/www/docker-compose.yaml index 8372974..c6a475b 100644 --- a/www/docker-compose.yaml +++ b/www/docker-compose.yaml @@ -7,6 +7,10 @@ services: networks: - web restart: unless-stopped + healthcheck: + test: ["CMD", "curl" ,"--fail", "localhost"] + interval: 5s + timeout: 3s labels: - "traefik.enable=true" - "traefik.http.routers.webroot.entrypoints=websecure" # All HTTP requests are globally redirected to HTTPS From fc106060b74c811526165aac1c2636e863d222de Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Fri, 16 Jun 2023 08:37:08 +0200 Subject: [PATCH 4/4] Nextcloud: run cronejob every minute --- nextcloud/Dockerfile | 2 ++ nextcloud/crontab | 3 --- nextcloud/docker-compose.yaml | 6 ------ 3 files changed, 2 insertions(+), 9 deletions(-) delete mode 100755 nextcloud/crontab diff --git a/nextcloud/Dockerfile b/nextcloud/Dockerfile index 600750a..7b9cb73 100644 --- a/nextcloud/Dockerfile +++ b/nextcloud/Dockerfile @@ -9,3 +9,5 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ ocrmypdf tesseract-ocr-deu \ procps \ && rm -rf /var/lib/apt/lists/* + +RUN mkdir -p /var/spool/cron/crontabs; echo '* * * * * php -f /var/www/html/cron.php' > /var/spool/cron/crontabs/www-data diff --git a/nextcloud/crontab b/nextcloud/crontab deleted file mode 100755 index a8885e2..0000000 --- a/nextcloud/crontab +++ /dev/null @@ -1,3 +0,0 @@ -*/5 * * * * php -f /var/www/html/cron.php - - diff --git a/nextcloud/docker-compose.yaml b/nextcloud/docker-compose.yaml index 95c8f20..90aaf18 100644 --- a/nextcloud/docker-compose.yaml +++ b/nextcloud/docker-compose.yaml @@ -72,12 +72,6 @@ services: volumes: - ${VOLUMES_PATH}/nextcloud/html:/var/www/html - ${VOLUMES_PATH}/nextcloud/data:/var/www/html/data -# If I mount my crontab into the container crond is not working any more :( -# docker log should print 11110001 lines -# https://github.com/nextcloud/docker/issues/1775 -# https://github.com/nextcloud/docker/issues/1695 -# build own cron image? -# - $PWD/crontab:/var/spool/cron/crontabs/www-data entrypoint: /cron.sh depends_on: - db