Application avec reverse-proxy pour les Applications
Contenant un serveur git (gitea) et un registry docker
Contenant des applications de supervision des ressource, de app, et du network avec des health checker pour être prevenu en cas de probleme Yohem VAXELAIRE [email protected] 16:17 (il y a 1 heure) À moi
- Nginx Reverse Proxy
- letsencrypt/certbot
- Portainer
- grafana
- prometeus
- CAdvisor
- mailu (full)/mail-server
- gitea
- Monitoring :
- Prometheus
- node-exporter
- Grafana
- Cadvisor
- alert_manager
- performance fixing (cAdvisor, prom, grfana)
- Management
- Portainer
- Git Full
- Gitea
- Actions-Runner
- config
- use internal netxork
- save data on reload
- GateWay
- Nginx Proxy
- CertBot
- User Management
- create self auto create ssl (access to /etc/letsencrypt)
- do monitoring without alerting
- do full management
- do nginx proxy
- do gitea
- mail server
- Alerting
- nginx metrics
- prometeus
- initiat prometeus.yml to check its self
- check if the target prometheus is "up" on promtheus web app
- grafana
- datasources config prometeus
- docker open metrics in daemond.json
- add docker's metrics to promteus config
- node exporter
- mount volumes of "root" host, sys and proc on readOnly
- set volumes in args command entrypoint
- Add collector in args command entrypoint
- add node exporter's metrics to promteus config
- add graph to grafana with prometeus data
- or import preset on grafana labs
- Cadvisor
- add CAvisor and redis images
- mount volumes "root" host, sys and proc on readOnly
- mount /var/run in rw mode
- cAvisor depends_on redis
- portainer
- Mount "root" and /docker.sock:ro host in read only
-
gitea
- créer la db pgql
- mettre les droit de la db sur le volumes (70:70)
- créer le User git
sudo adduser --system --shell /bin/bash --gecos 'Git Version Control' --group --disabled-password --home /home/git git-
sshing
- lier /home/git/.shh/:/git/.ssh/
- créer un clef shh pour le git user
sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key"- ajouté la clef au autorized
sudo -u git cat /home/git/.ssh/id_rsa.pub | sudo -u git tee -a /home/git/.ssh/authorized_keys sudo -u git chmod 600 /home/git/.ssh/authorized_keys- ssh Forwarding host to container (change port)
cat <<"EOF" | sudo tee /usr/local/bin/gitea #!/bin/sh ssh -p 2222 -o StrictHostKeyChecking=no [email protected] "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@" EOF
- Add User git to ssh connection in
/usr/local/bin/git(change port)
Match User git AuthorizedKeysCommandUser git AuthorizedKeysCommand /usr/bin/ssh -p 222 -o StrictHostKeyChecking=no [email protected] /usr/local/bin/gitea keys -c /data/gitea/conf/app.ini -e git -u %u -t %t -k %k -
add shh key on gitea web-panel to send data
-
Actions-Runner
- add act_runner to docker
- set up depends_on
- set ip restart always
- monut volumes for docker.sock, config.yml file and data
- Set up Env
- CONFIG_FILE was node path of config.yml (like in mount)
- GITEA_INSTANCE_URL was the full url to gitea server (use external)
- GITEA_RUNNER_NAME is name of Action runnner (cosmetics)
- GITEA_RUNNER_REGISTRATION_TOKEN is a token to fin on Admin panel > Action on gitea web interface
- don't mount config fil and set CONFIG_FILE env if you dont kown how do conf (just dont forget restart always)
-
Test actions runner 1. create
./.gitea/workflows/name.ymlexemples:name: Gitea Actions Demo run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀 on: [push] jobs: Explore-Gitea-Actions: runs-on: ubuntu-latest steps: - run: echo "🎉 The job was automatically triggered by a ${{ gitea.event_name }} event." - run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by Gitea!" - run: echo "🔎 The name of your branch is ${{ gitea.ref }} and your repository is ${{ gitea.repository }}." - name: Check out repository code uses: actions/checkout@v4 - run: echo "💡 The ${{ gitea.repository }} repository has been cloned to the runner." - run: echo "🖥️ The workflow is now ready to test your code on the runner." - name: List files in the repository run: | ls ${{ gitea.workspace }} - run: echo "🍏 This job's status is ${{ job.status }}."
-
set up internal netwrok
- create external network for gitea
- edit network in config.yml to add the gitea's external network
- Set up Nginx
- Create config file systeme
- disable 443/ssl on http server
- open port you need
- run on
["/usr/sbin/nginx", "-g", "daemon off;"]
- initialise CertBot
- Create cert auto script
- mount
/etc/nginxand/var/www/certbot:rw
- Create same mount on nginx
- Enable 443/ssl par on http section
- Add a new domains
- add network external to Nginx
- create conf witout ssl
- register Domains in domain env certbot
- run compose
- enable ssl
- reload compose
choix :
-
mailcow
-
mailu
-
postfix
-
poste.io
-
dockermailserver
-
instrumentisto/opendkim
-
instrumentisto/opendmarc
-
haraka/rspamd
pop3(110), imap(110), lmtp(24), submission (587), manageSieve(4190):
smtp:
- set up la zone Domains
- A = IPv4 | AAAA = APv6
- Set up @ on serveur
- Set up mail.dnsname on serveur
- Lancer le container
- Configurer le reverse proxy pour l'access web
- create MX Field in DNS Area with domain(@) for name and server mail's domain for the server field
- create TXT field "_dmarc" with value
"v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=0; adkim=s; aspf=s; pct=100; rf=afrf; sp=reject""v=DMARC1; p=none; rua=mailto:[email protected]" - create TXT field with name point to domain(@)'s name and point to mail MX field server :
"v=spf1 mx ~ all""v=spf1 a mx ip4:91.108.113.88 ~all" - create key association txt field
- generate DKIM key on web panel of mail server
- copy first par of DKIM gerate key for name field and the part between
"for value
-
install rocm
# version ver=6.2 # amdgpu repository for jammy echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/rocm.gpg] https://repo.radeon.com/amdgpu/$ver/ubuntu jammy main" \ | sudo tee /etc/apt/sources.list.d/amdgpu.list sudo apt updatefor ver in 5.2; do echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/rocm.gpg] https://repo.radeon.com/rocm/apt/$ver jammy main" \ | sudo tee --append /etc/apt/sources.list.d/rocm.list done echo -e 'Package: *\nPin: release o=repo.radeon.com\nPin-Priority: 600' \ | sudo tee /etc/apt/preferences.d/rocm-pin-600 sudo apt update
\VPS
\Monitoring
\Portainer
\Grafana
\Prometeus
\CAdvisor
\Reverse-Proxy
\Nginx
\data
\Conf
\Certbot
\data
\Cert
\mail
\Gitea
\Projet
\Labs
\MinePiece
\VDV
- Nginx Reverse Proxy : 80, 443
- letsencrypt/certbot : 80
- Portainer : 8000
- grafana : 8080
- prometheus : 9090
- Node exporter : 9100
- mailu (full)/mail-server : ??
- gitea: 22, 3000
Nginx Reverse Proxy : 80, 443 Prometeus : 9090 Node exporter : 9100 Docker : 9323
- Proxy_Net
- Monitoring
- "Part_Prj_Name
Portainer : portainer.vaxelaire.fr grafana : monitoring.vaxelaire.fr prometheus : portainer.vaxelaire.f mailu (full)/mail-server : mail.vaxelaire.fr, mail.minepiece.fr gitea: git.vaxelaire.fr
- gitea/gitea:1.22.3
- registry:2.8
- nginx:1.27.2-alpine
- postgres:17-alpine3.20
- certbot/certbot:latest
- grafana/grafana:main
- prom/prometheus:main
Contenant de la CI/CD permetant de push automatiquement sur le registry docker
https://docs.gitea.com/installation/install-with-docker
https://distribution.github.io/distribution/
Sertifier les domaines
Separation des apps
- Grafana
- Prometehus
add to /etc/docker/daemon.json
{
"metrics-addr": "127.0.0.1:9323"
}run systemctl restart docker
create prometeus.yml
enable chown sur le WSL
/etc/wsl.conf
[automount]
options = "metadata"
creer les user demandé
sudo adduser --system grafana -u 472 sudo adduser --system postgres -u 70
(Dind) Pour les applications effemere
- gestion network
- CI/CD
- grafana
- prometeheus
- health check
- DinD (docker in docker)
Defi:
- git container (gitea)
- registry docker