From 9f3f9391e3cf7d3c54a29c13cc4c968e3e418047 Mon Sep 17 00:00:00 2001 From: Dmitry Anderson <4nd3r5z0n@gmail.com> Date: Tue, 15 Oct 2024 00:12:11 +0200 Subject: [PATCH] Gitea, Haproxy and MIC bot/backend infra added --- README.md | 5 +- gitea/README | 4 ++ gitea/docker-compose.yml | 52 +++++++++++++++++++ haproxy/haproxy.cfg | 107 +++++++++++++++++++++++++++++++++++++++ mic/docker-compose.yml | 20 ++++++++ pre-run.sh | 2 + 6 files changed, 188 insertions(+), 2 deletions(-) create mode 100644 gitea/README create mode 100644 gitea/docker-compose.yml create mode 100644 haproxy/haproxy.cfg create mode 100644 mic/docker-compose.yml create mode 100644 pre-run.sh diff --git a/README.md b/README.md index 4c26920..25ea1d5 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ -# mic-infra +Before trying to setup anything do `source ./pre-run.sh` +or add it's content into your `~/.zshrc` or `~/.bashrc` file -Compose, make, docker, config files and scripts used to setup the MIC infrastructure and (hopefully) some documentation on how to use it. \ No newline at end of file +As well you're gonna need to install [docker](https://docs.docker.com/engine/install/fedora/) diff --git a/gitea/README b/gitea/README new file mode 100644 index 0000000..29ac636 --- /dev/null +++ b/gitea/README @@ -0,0 +1,4 @@ +Before running do +$ mkdir gitea_data gitea_config postgres_data +$ mkdir .secret +$ nvim .secret/db_password.txt # Setup your Postgres password here diff --git a/gitea/docker-compose.yml b/gitea/docker-compose.yml new file mode 100644 index 0000000..5700e55 --- /dev/null +++ b/gitea/docker-compose.yml @@ -0,0 +1,52 @@ +secrets: + db_password: + file: .secrets/db_password.txt + +networks: + gitea: + driver: bridge + + +services: + postgres: + container_name: gitea_postgres + image: postgres:latest + restart: always + volumes: + - ./postgres_data:/var/lib/postgresql/data:rw + environment: + POSTGRES_USER: gitea + POSTGRES_DB: gitea + POSTGRES_PASSWORD_FILE: /run/secrets/db_password + user: "${USER_ID:-1000}:${GID:-1000}" + networks: + - gitea + secrets: + - db_password + + server: + container_name: gitea_serv + image: gitea/gitea:latest + depends_on: + - postgres + restart: always + volumes: + - ./gitea_data:/var/lib/gitea + - ./gitea_config:/etc/gitea + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + environment: + - USER_ID=${USER_ID:-1000} + - GROUP_ID=${GID:-1000} + - GITEA__database__DB_TYPE=postgres + - GITEA__database__HOST=postgres:5432 + - GITEA__database__NAME=gitea + - GITEA__database__USER=gitea + - GITEA__database__PASSWD_FILE=/run/secrets/db_password + ports: + - "3000:3000" + - "2222:22" + networks: + - gitea + secrets: + - db_password diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg new file mode 100644 index 0000000..c1ebf7f --- /dev/null +++ b/haproxy/haproxy.cfg @@ -0,0 +1,107 @@ +#--------------------------------------------------------------------- +# Example configuration for a possible web application. See the +# full configuration options online. +# +# https://www.haproxy.org/download/1.8/doc/configuration.txt +# +#--------------------------------------------------------------------- + +#--------------------------------------------------------------------- +# Global settings +#--------------------------------------------------------------------- +global + # to have these messages end up in /var/log/haproxy.log you will + # need to: + # + # 1) configure syslog to accept network log events. This is done + # by adding the '-r' option to the SYSLOGD_OPTIONS in + # /etc/sysconfig/syslog + # + # 2) configure local2 events to go to the /var/log/haproxy.log + # file. A line like the following can be added to + # /etc/sysconfig/syslog + # + # local2.* /var/log/haproxy.log + # + # log 127.0.0.1 local2 + log /dev/log local0 + + chroot /var/lib/haproxy + pidfile /var/run/haproxy.pid + maxconn 4000 + user haproxy + group haproxy + daemon + + # turn on stats unix socket + stats socket /var/lib/haproxy/stats + + # utilize system-wide crypto-policies + ssl-default-bind-ciphers PROFILE=SYSTEM + ssl-default-server-ciphers PROFILE=SYSTEM + + # TLS + ssl-default-bind-options ssl-min-ver TLSv1.2 + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + +#--------------------------------------------------------------------- +# common defaults that all the 'listen' and 'backend' sections will +# use if not designated in their block +#--------------------------------------------------------------------- +defaults + mode http + log global + option httplog + option dontlognull + option http-server-close + option forwardfor except 127.0.0.0/8 + option redispatch + retries 3 + timeout http-request 10s + timeout queue 1m + timeout connect 10s + timeout client 1m + timeout server 1m + timeout http-keep-alive 10s + timeout check 10s + maxconn 3000 + +#--------------------------------------------------------------------- +# main frontend which proxys to the backends +#--------------------------------------------------------------------- +frontend main + bind *:5000 + acl url_static path_beg -i /static /images /javascript /stylesheets + acl url_static path_end -i .jpg .gif .png .css .js + + use_backend static if url_static + +frontend git-http + bind *:80 + option forwardfor + http-request redirect scheme https unless { ssl_fc } + +frontend git-https + bind *:443 ssl crt /etc/letsencrypt/live/git.mic.pp.ua/fullchain.pem alpn h2,http/1.1 + mode http + option forwardfor + acl is_git hdr(host) -i git.mic.pp.ua + use_backend git_backend if is_git + +#--------------------------------------------------------------------- +# static backend for serving up images, stylesheets and such +#--------------------------------------------------------------------- +backend static + balance roundrobin + server static 127.0.0.1:4331 check + +#--------------------------------------------------------------------- +# round robin balancing between the various backends +#--------------------------------------------------------------------- +backend git_backend + balance roundrobin + mode http + server git_instance1 127.0.0.1:3000 check + +backend letsencrypt-backend + server letsencrypt 127.0.0.1:8888 diff --git a/mic/docker-compose.yml b/mic/docker-compose.yml new file mode 100644 index 0000000..4a81b1d --- /dev/null +++ b/mic/docker-compose.yml @@ -0,0 +1,20 @@ +secrets: + db_password: + file: .secrets/db_password.txt + +services: + postgres: + container_name: bot_postgres + image: postgres:latest + restart: always + volumes: + - ./postgres_data:/var/lib/postgresql/data:rw + environment: + POSTGRES_USER: mic + POSTGRES_DB: mic + POSTGRES_PASSWORD_FILE: /run/secrets/db_password + user: "${USER_ID:-1000}:${GID:-1000}" + networks: + - "127.0.0.1:5432:5432" + secrets: + - db_password diff --git a/pre-run.sh b/pre-run.sh new file mode 100644 index 0000000..9d87334 --- /dev/null +++ b/pre-run.sh @@ -0,0 +1,2 @@ +export USER_ID=$(id -u $USER) +export GID=$(id -g $USER)