690418:1638 Refactor Infra gitea
This commit is contained in:
@@ -0,0 +1,83 @@
|
||||
# Docker Compose Stacks (v1.8.6)
|
||||
|
||||
Production compose files for the NP-DMS / LCBP3 platform. All stacks share one external Docker network `lcbp3`.
|
||||
|
||||
## Layout
|
||||
|
||||
```
|
||||
04-00-docker-compose/
|
||||
├── .env.template # Master template (placeholders)
|
||||
├── x-base.yml # Shared YAML anchors (S2)
|
||||
├── SECURITY-MIGRATION-v1.8.6.md # Full C/H/M/L/S migration runbook
|
||||
├── QNAP/
|
||||
│ ├── app/ docker-compose-app.yml (backend, frontend, clamav)
|
||||
│ ├── mariadb/ docker-compose-lcbp3-db.yml (mariadb, pma)
|
||||
│ ├── service/ docker-compose.yml (cache, search)
|
||||
│ ├── npm/ docker-compose.yml (npm, landing)
|
||||
│ ├── gitea/ docker-compose.yml (gitea)
|
||||
│ ├── n8n/ docker-compose.yml (n8n, n8n-db, tika, docker-socket-proxy)
|
||||
│ ├── rocketchat/ docker-compose.yml (mongodb, mongo-init-replica, rocketchat)
|
||||
│ └── monitoring/ docker-compose.yml (node-exporter, cadvisor — QNAP-side exporters)
|
||||
└── ASUSTOR/
|
||||
├── registry/ docker-compose.yml (registry, registry-ui)
|
||||
├── gitea-runner/ docker-compose.yml (gitea act_runner)
|
||||
└── monitoring/ docker-compose.yml (prometheus, grafana, loki, promtail, uptime-kuma, node-exporter, cadvisor)
|
||||
```
|
||||
|
||||
## Usage (per stack)
|
||||
|
||||
```bash
|
||||
# 1. place a gitignored .env in the stack folder
|
||||
cp .env.example .env # or copy relevant vars from ../../.env.template
|
||||
vi .env
|
||||
chmod 600 .env
|
||||
|
||||
# 2. up the stack (Compose V2)
|
||||
docker compose --env-file .env -f docker-compose.yml up -d
|
||||
```
|
||||
|
||||
## Security (Non-Negotiable — see `SECURITY-MIGRATION-v1.8.6.md`)
|
||||
|
||||
- **Tier-1:** No secrets in compose files; `.env` is gitignored; `JWT_SECRET` ≠ `AUTH_SECRET`
|
||||
- **Redis:** `--requirepass` enforced on server
|
||||
- **Elasticsearch:** internal network only
|
||||
- **MariaDB:** root and app user split; loopback bind
|
||||
- **MongoDB:** `--auth --keyFile`
|
||||
- **Registry:** htpasswd
|
||||
- **ClamAV:** mandatory upstream of backend uploads (ADR-016)
|
||||
- **AI boundary:** Ollama / AI only on Admin Desktop (ADR-018)
|
||||
|
||||
## Shared YAML Anchors (S2)
|
||||
|
||||
If your Compose version supports `include:` (V2.20+), reference `x-base.yml`:
|
||||
|
||||
```yaml
|
||||
include:
|
||||
- path: ../../x-base.yml
|
||||
|
||||
services:
|
||||
mysvc:
|
||||
<<: [*restart_policy, *default_logging, *hardening]
|
||||
```
|
||||
|
||||
Otherwise, keep the inline anchor pattern (current repo-wide convention).
|
||||
|
||||
## Secret Management Roadmap (S1)
|
||||
|
||||
Current: `env_file: .env` (gitignored) per stack.
|
||||
|
||||
Future (order of preference):
|
||||
|
||||
1. **Docker secrets** (Swarm) — rotate-in-place, no FS exposure
|
||||
2. **External secret manager** — Infisical / Vault / Bitwarden Secrets Manager
|
||||
3. **SOPS-encrypted** `.env.sops` files in the repo (age/GPG) — nice middle ground; Ops unseals at deploy time
|
||||
|
||||
Tracking issue: open a task under `specs/04-Infrastructure-OPS/` when choosing a direction.
|
||||
|
||||
## Per-stack `.env.example` Files (S3)
|
||||
|
||||
Each stack has its own `.env.example` listing only the vars it consumes. Copy → edit → `chmod 600`.
|
||||
|
||||
## Release / Deploy Gates
|
||||
|
||||
See `specs/04-Infrastructure-OPS/04-08-release-management-policy.md` for the blue-green rollout procedure.
|
||||
Reference in New Issue
Block a user